Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only stack corruption requiring CAP_NET_ADMIN to load nft rules (PR:L, AV:L); a simple two-expression ruleset reliably triggers it (AC:L), and kernel memory corruption yields full C/I/A impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: bail out on template ct in get eval
I noticed this issue while looking at a historic syzbot report [1].
A rule like the one below is enough to trigger the bug:
table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } }
The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers.
Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack.
[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
AnalysisAI
Stack-based out-of-bounds write in the Linux kernel netfilter nf_tables conntrack (nft_ct) module lets a local actor with rule-loading capability corrupt the kernel stack, enabling privilege escalation or denial of service. When an nftables ruleset attaches a per-CPU template conntrack (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to load an nftables ruleset that combines a conntrack template-creating expression ('ct zone set', which calls nf_ct_tmpl_alloc) with a subsequent conntrack get expression ('ct original/reply saddr/daddr') in the same chain on the same packet path - that specific expression combination IS the trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine but locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a process inside a container with CAP_NET_ADMIN, e.g. via an unprivileged user namespace) loads an nftables ruleset that first sets a conntrack zone and then reads ct original saddr in the same chain. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (or any later release on those branches), applying the build your distribution ships once it incorporates the netfilter nft_ct fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Linux systems with nftables enabled and audit user access to rule-loading capabilities. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39218
GHSA-mrf2-hc9c-229v