Skip to main content

Linux Kernel EUVDEUVD-2026-39218

| CVE-2026-53267 HIGH
Uncontrolled Recursion (CWE-674)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mrf2-hc9c-229v
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only stack corruption requiring CAP_NET_ADMIN to load nft rules (PR:L, AV:L); a simple two-expression ruleset reliably triggers it (AC:L), and kernel memory corruption yields full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:49 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: bail out on template ct in get eval

I noticed this issue while looking at a historic syzbot report [1].

A rule like the one below is enough to trigger the bug:

table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } }

The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers.

Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack.

[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c

AnalysisAI

Stack-based out-of-bounds write in the Linux kernel netfilter nf_tables conntrack (nft_ct) module lets a local actor with rule-loading capability corrupt the kernel stack, enabling privilege escalation or denial of service. When an nftables ruleset attaches a per-CPU template conntrack (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local CAP_NET_ADMIN (root or user namespace)
Delivery
Load nft ruleset with ct zone set + ct get
Exploit
Send packet through prerouting chain
Execution
Template ct treated as real ct in get eval
Persist
16-byte memcpy overflows nft_regs on kernel stack
Impact
Corrupt kernel memory for escalation or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to load an nftables ruleset that combines a conntrack template-creating expression ('ct zone set', which calls nf_ct_tmpl_alloc) with a subsequent conntrack get expression ('ct original/reply saddr/daddr') in the same chain on the same packet path - that specific expression combination IS the trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a genuine but locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a process inside a container with CAP_NET_ADMIN, e.g. via an unprivileged user namespace) loads an nftables ruleset that first sets a conntrack zone and then reads ct original saddr in the same chain. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (or any later release on those branches), applying the build your distribution ships once it incorporates the netfilter nft_ct fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Linux systems with nftables enabled and audit user access to rule-loading capabilities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy