Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local low-privilege attacker leaks 2 uninitialized stack bytes via a register read; no integrity or availability impact is described or plausible from the mechanism.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
NFT_META_BRI_IIFHWADDR declares its destination register with len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and leaving the upper 2 bytes of the second register as uninitialised nft_do_chain() stack. A downstream load of that register span leaks those stale bytes to userspace.
Zero the second register before the memcpy so the full declared span is written.
AnalysisAI
Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local system access with CAP_NET_ADMIN capability or equivalent privilege within a Linux user namespace. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5) contains a significant internal inconsistency: the described impact is 2 bytes of kernel stack leaking to userspace - a confidentiality concern - yet the vector assigns C:N (no confidentiality impact) and A:H (high availability). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with CAP_NET_ADMIN capability - or operating within a Linux user namespace that grants equivalent rights - loads nftables bridge rules referencing the IIFHWADDR meta attribute and a downstream register-read expression spanning the full 8-byte register width. When bridged packets trigger rule evaluation, nft_meta_bridge_get_eval() copies 6 bytes of MAC address and leaves 2 bytes of stale nft_do_chain() stack content readable via the downstream expression. … |
| Remediation | Upgrade to Linux kernel 6.18.36 (stable) or 7.0.13 (stable); the 7.1-rc series fix targets the 7.1 stable release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39302
GHSA-vccq-h5j4-92qr