CVE-2026-53014

Summary

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir

In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) — which is the NEXT device in the iteration, not the one being sent to.

This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic.

The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices.

Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux42f39036cda808d3de243192a2cf5125f12f3047 < 8fda5174286119addd28473fb2ec5bdf521c05a8affected
LinuxLinux42f39036cda808d3de243192a2cf5125f12f3047 < 7db3e4e03032261b1b519341123fc30d995478caaffected
LinuxLinux42f39036cda808d3de243192a2cf5125f12f3047 < 4764953c4b47585eb72797b216b63a831dc0c7e6affected
LinuxLinux42f39036cda808d3de243192a2cf5125f12f3047 < 4510d140524ca7d6e772db962e013f26f09a63b1affected
LinuxLinux6.8affected
LinuxLinux0 < 6.8unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References