Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Reachable only with non-default MAC-based netfilter/ipset config and non-Ethernet-path packets (AC:H); bounded OOB read leaks limited memory (C:L) and can oops the kernel (A:H), no integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: require Ethernet MAC header before using eth_hdr()
ip6t_eui64, xt_mac, the bitmap:ip,mac, hash:ip,mac, and hash:mac ipset types, and nf_log_syslog access eth_hdr(skb) after either assuming that the skb is associated with an Ethernet device or checking only that the ETH_HLEN bytes at skb_mac_header(skb) lie between skb->head and skb->data.
Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing eth_hdr(skb).
AnalysisAI
Out-of-bounds memory access in the Linux kernel's netfilter subsystem allows attackers to leak adjacent kernel memory or crash the host by sending packets that traverse MAC-based matching paths (xt_mac, ip6t_eui64, the bitmap:ip,mac/hash:ip,mac/hash:mac ipset types, and nf_log_syslog) which call eth_hdr(skb) without first confirming the skb carries a full Ethernet header. Affected kernels span the 5.15 through 7.1 stable trees prior to the fixed releases, and the impact is information disclosure and denial of service rather than code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target host has MAC-address-based netfilter processing enabled - specifically an `xt_mac` (`-m mac`) rule, an `ip6t_eui64` match, a `bitmap:ip,mac` / `hash:ip,mac` / `hash:mac` ipset in use, or MAC logging through `nf_log_syslog` - AND that a packet reaches that code on an skb not backed by a complete Ethernet MAC header (e.g., arriving via a non-Ethernet device such as a tunnel, PPP, or loopback, or before the MAC header is set). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals here conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An administrator runs a firewall using `-m mac` matches or a `hash:mac` ipset, and the host receives traffic over a non-Ethernet interface such as a VPN tunnel, PPP link, or loopback. An attacker sends a crafted packet down that path so that when netfilter evaluates the MAC match it dereferences `eth_hdr(skb)` past the valid header, leaking adjacent kernel bytes into logs or oopsing the kernel. … |
| Remediation | Vendor-released patch: update to Linux 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) matching your branch, then reboot or apply the corresponding livepatch; the fixes are the stable commits at git.kernel.org/stable/c/ (063f4336…, 367abcac…, 4435888e…, 5d634afb…, 62443dc2…, 726abf97…, cea435ea…). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Linux kernel versions 5.15-7.1 stable and assess criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39336
GHSA-8cg3-6h68-w2cj