Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local vector with low-privilege CAP_NET_ADMIN requirement; impact is limited confidentiality disclosure of kernel stack bytes, no integrity or availability effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
For NFT_FIB_RESULT_OIFNAME the destination register is declared with len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail, RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one register via "*dest = 0". The remaining three registers are left as whatever was on the stack in nft_do_chain()'s struct nft_regs, and a downstream expression that loads the register span can leak that uninitialised kernel stack to userspace.
The NFTA_FIB_F_PRESENT existence check has the same shape: it is only meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type while the eval stores a single byte via nft_reg_store8(), leaving the rest of the declared span stale.
Fix both:
- replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already used on the other early-return path), and
- restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
destination as a single u8, so the marked span matches the one byte the eval writes.
AnalysisAI
{4,6}_eval() zeroes only the first of four declared registers, leaving three registers holding uninitialized contents from nft_do_chain()'s struct nft_regs stack frame; a downstream nftables expression reading the full IFNAMSIZ span then exposes that data to userspace. No public exploit code has been identified at time of analysis and EPSS sits at the 7th percentile (0.18%), consistent with a narrow, locally-gated exploitation path.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker hold CAP_NET_ADMIN and be able to create or modify nftables rules - specifically inserting a rule that uses nft_fib with the NFT_FIB_RESULT_OIFNAME result type followed by an expression that reads the full 4-register IFNAMSIZ span. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H conflicts with the 'Information Disclosure' tag and the description, which describes a kernel stack leak to userspace - a confidentiality impact, not an availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a system with unprivileged user namespaces enabled creates a user network namespace (gaining CAP_NET_ADMIN within it), then installs an nftables rule that performs a FIB lookup with the OIFNAME result type and chains a subsequent expression that reads the full IFNAMSIZ register span. By triggering the lookup-fail or RTN_LOCAL path, the nft_regs stack data from the kernel's prior chain execution is returned in the expression result, potentially disclosing kernel pointers or other sensitive stack contents to userspace. … |
| Remediation | The primary remediation is to upgrade to a patched kernel version: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (once released). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39339
GHSA-5wp9-x843-xmxf