CVE-2026-52942

NONE EPSS 2.4%
Published Jun 24, 20265d ago · Modified Jun 24, 20265d ago
Find Similar
Published Jun 24, 2026 5d ago
Last Modified Jun 24, 2026 5d ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_log: validate MAC header was set before dumping it The fallback path of dump_mac_header() guards the MAC header access only with "skb->mac_header != skb->network_header", without checking skb_mac_header_was_set(). When the MAC header is unset, mac_header is 0xffff, so the test passes and skb_mac_header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via the netdev logger: nf_log_unknown_packet() calls dump_mac_header() unconditionally, and an skb sent through AF_PACKET with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still unset (__dev_queue_xmit(), which would reset it, is bypassed). Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already uses, and replace the open-coded MAC header length test with skb_mac_header_len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before. BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan_report (mm/kasan/report.c:595) dump_mac_header (net/netfilter/nf_log_syslog.c:831) nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963) nf_log_packet (net/netfilter/nf_log.c:260) nft_log_eval (net/netfilter/nft_log.c:60) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307) nf_hook_slow (net/netfilter/core.c:619) nf_hook_direct_egress (net/packet/af_packet.c:257) packet_xmit (net/packet/af_packet.c:280) packet_sendmsg (net/packet/af_packet.c:3114) __sys_sendto (net/socket.c:2265)

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 7

  • git.kernel.org https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7
  • git.kernel.org https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a
  • git.kernel.org https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77
  • git.kernel.org https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310
  • git.kernel.org https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590
  • git.kernel.org https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d
  • git.kernel.org https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.