CVE-2026-53131

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: require Ethernet MAC header before using eth_hdr()

ip6t_eui64, xt_mac, the bitmap:ip,mac, hash:ip,mac, and hash:mac ipset types, and nf_log_syslog access eth_hdr(skb) after either assuming that the skb is associated with an Ethernet device or checking only that the ETH_HLEN bytes at skb_mac_header(skb) lie between skb->head and skb->data.

Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing eth_hdr(skb).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4435888e1bf139d2bfe5911643d4217382136743affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 063f43361e884acd7300790e90194430275d0d0caffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 726abf97566867f808fec9d8a408eb9698bd570aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 367abcacc13a8e2e7624408b7f593bd1e60e49d9affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 5d634afb8b83b49de562792fd0d047416a43bd4daffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < cea435ea7e868ea6fdf039bc4f2090c1d829b556affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 62443dc21114c0bbc476fa62973db89743f2f137affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References