Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local attacker needs CAP_NET_ADMIN to set the ARP-SNAT rule plus a specific splice-imported paged skb, so PR:H/AC:H; cross-page write gives S:C with integrity-dominant impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bridge: make ebt_snat ARP rewrite writable
The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a.
However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data:
skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)
skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it.
Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits().
AnalysisAI
Out-of-bounds/illegitimate write in the Linux kernel's bridge netfilter ebtables SNAT target (ebt_snat) lets the optional ARP sender-hardware-address rewrite copy a MAC address into a non-linear skb fragment that is still backed by a splice-imported file page, corrupting memory the kernel should not write to. The flaw affects systems using the bridge ebtables SNAT target with ARP rewrite enabled; the fix makes the ARP SHA range writable via skb_ensure_writable() before skb_store_bits() runs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a Linux bridge with ebtables, (2) an active ebtables SNAT target rule that enables the optional ARP sender-hardware-address (SHA) rewrite - this is the exact feature that performs skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN), (3) the privilege to install that rule, i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with CAP_NET_ADMIN (for example inside a container or network namespace granted network-admin rights) installs an ebtables bridge SNAT rule with ARP MAC rewrite enabled, then drives ARP traffic through the bridge crafted so the sender-hardware-address bytes land in a non-linear skb fragment whose page was splice-imported from a file. The SNAT ARP rewrite then writes the attacker-chosen MAC directly into that file-backed page, corrupting memory across the intended boundary (scope change). … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later in each series), per the corresponding git.kernel.org stable commits such as https://git.kernel.org/stable/c/153ea96c806aea395daba907a4f88480b6ad5093 and the other commits listed in CVE-2026-53266. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct inventory of Linux systems using ebtables bridge SNAT with ARP sender-hardware-address rewrite enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39217
GHSA-xmhg-rr34-2chj