Skip to main content

Linux Kernel EUVDEUVD-2026-39339

| CVE-2026-53134 MEDIUM
Memory Leak (CWE-401)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5wp9-x843-xmxf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.3 LOW

Local vector with low-privilege CAP_NET_ADMIN requirement; impact is limited confidentiality disclosure of kernel stack bytes, no integrity or availability effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 17:08 vuln.today
CVSS changed
Jul 07, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_fib: fix stale stack leak via the OIFNAME register

For NFT_FIB_RESULT_OIFNAME the destination register is declared with len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail, RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one register via "*dest = 0". The remaining three registers are left as whatever was on the stack in nft_do_chain()'s struct nft_regs, and a downstream expression that loads the register span can leak that uninitialised kernel stack to userspace.

The NFTA_FIB_F_PRESENT existence check has the same shape: it is only meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type while the eval stores a single byte via nft_reg_store8(), leaving the rest of the declared span stale.

Fix both:

  • replace the bare "*dest = 0" in the eval with nft_fib_store_result(),

which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already used on the other early-return path), and

  • restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its

destination as a single u8, so the marked span matches the one byte the eval writes.

AnalysisAI

{4,6}_eval() zeroes only the first of four declared registers, leaving three registers holding uninitialized contents from nft_do_chain()'s struct nft_regs stack frame; a downstream nftables expression reading the full IFNAMSIZ span then exposes that data to userspace. No public exploit code has been identified at time of analysis and EPSS sits at the 7th percentile (0.18%), consistent with a narrow, locally-gated exploitation path.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local shell access
Delivery
Create user network namespace (unprivileged)
Exploit
Acquire CAP_NET_ADMIN within namespace
Execution
Craft nftables rule with FIB OIFNAME result type
Persist
Trigger lookup-fail or RTN_LOCAL path
Impact
Read stale kernel stack via downstream expression

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker hold CAP_NET_ADMIN and be able to create or modify nftables rules - specifically inserting a rule that uses nft_fib with the NFT_FIB_RESULT_OIFNAME result type followed by an expression that reads the full 4-register IFNAMSIZ span. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H conflicts with the 'Information Disclosure' tag and the description, which describes a kernel stack leak to userspace - a confidentiality impact, not an availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a system with unprivileged user namespaces enabled creates a user network namespace (gaining CAP_NET_ADMIN within it), then installs an nftables rule that performs a FIB lookup with the OIFNAME result type and chains a subsequent expression that reads the full IFNAMSIZ register span. By triggering the lookup-fail or RTN_LOCAL path, the nft_regs stack data from the kernel's prior chain execution is returned in the expression result, potentially disclosing kernel pointers or other sensitive stack contents to userspace. …
Remediation The primary remediation is to upgrade to a patched kernel version: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (once released). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy