netfilter: nft_fib: fix stale stack leak via the OIFNAME register

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53134
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:30 UTC
Updated2026-06-25 09:16:30 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nft_fib: fix stale stack leak via the OIFNAME register For NFT_FIB_RESULT_OIFNAME the destination register is declared with len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail, RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one register via "*dest = 0". The remaining three registers are left as whatever was on the stack in nft_do_chain()'s struct nft_regs, and a downstream expression that loads the register span can leak that uninitialised kernel stack to userspace. The NFTA_FIB_F_PRESENT existence check has the same shape: it is only meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type while the eval stores a single byte via nft_reg_store8(), leaving the rest of the declared span stale. Fix both: - replace the bare "*dest = 0" in the eval with nft_fib_store_result(), which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already used on the other early-return path), and - restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its destination as a single u8, so the marked span matches the one byte the eval writes.

Risk And Classification

EPSS: 0.001760000 probability, percentile 0.073840000 (date 2026-06-26)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 6744e49fe51bfba26522acc2d0e9703cb41d8e50 git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 eca18feed38b3377a2ec5d1f22af1170c55d0171 git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 d19ddef8c327a4773ff81f8e51027d1e0b4cf069 git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 eb8a8124484dbc3c2b543e207da39bbccb703d31 git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 8c84885e9790823828bb8084736ea15769b1ac16 git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 84d8f58cf28a0415413f43ba7148f7bacd4c1b6e git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 3544210609f6d1db282bbdeca639104ef624c393 git Not specified
CNA Linux Linux affected f6d0cbcf09c506b9b022df8f9d7693a7cec3c732 ab185e0c4fb82dfba6fb86f8271e06f931d9c64c git Not specified
CNA Linux Linux affected 4.10 Not specified
CNA Linux Linux unaffected 4.10 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/ab185e0c4fb82dfba6fb86f8271e06f931d9c64c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/eca18feed38b3377a2ec5d1f22af1170c55d0171 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6744e49fe51bfba26522acc2d0e9703cb41d8e50 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3544210609f6d1db282bbdeca639104ef624c393 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/eb8a8124484dbc3c2b543e207da39bbccb703d31 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/84d8f58cf28a0415413f43ba7148f7bacd4c1b6e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8c84885e9790823828bb8084736ea15769b1ac16 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d19ddef8c327a4773ff81f8e51027d1e0b4cf069 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report