netfilter: nf_log: validate MAC header was set before dumping it

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-52942
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 08:16:24 UTC
Updated2026-06-24 08:16:24 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nf_log: validate MAC header was set before dumping it The fallback path of dump_mac_header() guards the MAC header access only with "skb->mac_header != skb->network_header", without checking skb_mac_header_was_set(). When the MAC header is unset, mac_header is 0xffff, so the test passes and skb_mac_header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via the netdev logger: nf_log_unknown_packet() calls dump_mac_header() unconditionally, and an skb sent through AF_PACKET with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still unset (__dev_queue_xmit(), which would reset it, is bypassed). Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already uses, and replace the open-coded MAC header length test with skb_mac_header_len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before. BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan_report (mm/kasan/report.c:595) dump_mac_header (net/netfilter/nf_log_syslog.c:831) nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963) nf_log_packet (net/netfilter/nf_log.c:260) nft_log_eval (net/netfilter/nft_log.c:60) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307) nf_hook_slow (net/netfilter/core.c:619) nf_hook_direct_egress (net/packet/af_packet.c:257) packet_xmit (net/packet/af_packet.c:280) packet_sendmsg (net/packet/af_packet.c:3114) __sys_sendto (net/socket.c:2265)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 d704ee9c7bc68a161684c51a7ac05b446dcf38d4 git Not specified
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 befb8968a2abdfa948d5600ea7f7a509a292a590 git Not specified
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 8a81e336da685423f5b64aac4d571e63d674c52a git Not specified
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 c38d41134085193efd5b237cf513ad5b3421a60d git Not specified
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 af1b7699466f6556b351fa25d3dc870abfb5d310 git Not specified
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 65ef7397eb9a296e91839f5fd10be96f23d332e7 git Not specified
CNA Linux Linux affected 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 a84b6fedbc97078788be78dbdd7517d143ad1a77 git Not specified
CNA Linux Linux affected 2.6.36 Not specified
CNA Linux Linux unaffected 2.6.36 semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report