Skip to main content

Linux Kernel CVE-2026-53266

| EUVDEUVD-2026-39217 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xmhg-rr34-2chj
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

Local attacker needs CAP_NET_ADMIN to set the ARP-SNAT rule plus a specific splice-imported paged skb, so PR:H/AC:H; cross-page write gives S:C with integrity-dominant impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:49 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: bridge: make ebt_snat ARP rewrite writable

The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a.

However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data:

skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)

skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it.

Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits().

AnalysisAI

Out-of-bounds/illegitimate write in the Linux kernel's bridge netfilter ebtables SNAT target (ebt_snat) lets the optional ARP sender-hardware-address rewrite copy a MAC address into a non-linear skb fragment that is still backed by a splice-imported file page, corrupting memory the kernel should not write to. The flaw affects systems using the bridge ebtables SNAT target with ARP rewrite enabled; the fix makes the ARP SHA range writable via skb_ensure_writable() before skb_store_bits() runs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain CAP_NET_ADMIN in netns
Delivery
Install ebtables bridge SNAT ARP-rewrite rule
Exploit
Send ARP frames via splice-backed paged skb
Execution
Trigger skb_store_bits into file page
Impact
Corrupt cross-context kernel memory

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a Linux bridge with ebtables, (2) an active ebtables SNAT target rule that enables the optional ARP sender-hardware-address (SHA) rewrite - this is the exact feature that performs skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN), (3) the privilege to install that rule, i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with CAP_NET_ADMIN (for example inside a container or network namespace granted network-admin rights) installs an ebtables bridge SNAT rule with ARP MAC rewrite enabled, then drives ARP traffic through the bridge crafted so the sender-hardware-address bytes land in a non-linear skb fragment whose page was splice-imported from a file. The SNAT ARP rewrite then writes the attacker-chosen MAC directly into that file-backed page, corrupting memory across the intended boundary (scope change). …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later in each series), per the corresponding git.kernel.org stable commits such as https://git.kernel.org/stable/c/153ea96c806aea395daba907a4f88480b6ad5093 and the other commits listed in CVE-2026-53266. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct inventory of Linux systems using ebtables bridge SNAT with ARP sender-hardware-address rewrite enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy