Skip to main content

Linux Kernel EUVDEUVD-2026-38868

| CVE-2026-53000 HIGH
Release of Invalid Pointer or Reference (CWE-763)
2026-06-24 Linux GHSA-6794-4vqv-w8qg
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local-only UAF (AV:L) needing CAP_NET_ADMIN (PR:L) and a timing race against the hook dump (AC:H); kernel memory corruption yields high C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:46 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nat: use kfree_rcu to release ops

Florian Westphal says:

"Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks.

However, in v5.14 I added the ability to dump the active netfilter hooks from userspace.

This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath.

The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though.

But once that changes the nat ops structures have to be deferred too."

Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.

AnalysisAI

Local privilege escalation / memory corruption in the Linux kernel's netfilter NAT subsystem (introduced in v5.14) arises because nf_nat_register_fn() freed nf_hook_ops structures immediately rather than deferring the release via RCU. Because the v5.14-era nfnetlink_hook feature lets userspace dump active netfilter hooks by peeking into the ops blob, a concurrent dump racing the NAT (un)register error path can access ops memory after it is freed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local CAP_NET_ADMIN (e.g. user namespace)
Delivery
Trigger NAT hook register/unregister error path
Exploit
Concurrently dump hooks via nfnetlink
Execution
Access freed nf_hook_ops (use-after-free)
Persist
Leak kernel memory or corrupt state
Impact
Escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires local access with the ability to register netfilter NAT hooks (CAP_NET_ADMIN, which an unprivileged user may obtain within an unprivileged user/network namespace if enabled), and a kernel at or after v5.14 where the nfnetlink hook-dump interface exists. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward lower real-world urgency than the 7.8 score alone implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user with CAP_NET_ADMIN (potentially obtained inside an unprivileged user+network namespace) repeatedly registers and unregisters NAT hooks to force the error path while a second thread continuously dumps active netfilter hooks via nfnetlink. By winning the race, the attacker causes the kernel to read NAT nf_hook_ops memory after it has been freed, potentially leaking kernel data or corrupting memory for further escalation. …
Remediation Vendor-released patch: upgrade to Linux kernel 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent), which change nf_nat_register_fn() to release ops via kfree_rcu() and correctly handle partial hook exposition on the error path. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Linux systems running kernel versions 5.14 and later in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy