{"api_version":"1","generated_at":"2026-06-25T11:33:53+00:00","cve":"CVE-2026-53218","urls":{"html":"https://cve.report/CVE-2026-53218","api":"https://cve.report/api/cve/CVE-2026-53218.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53218","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53218"},"summary":{"title":"netfilter: nft_exthdr: fix register tracking for F_PRESENT flag","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n\nnft_exthdr_init() passes user-controlled priv->len to\nnft_parse_register_store(), which marks that many bytes in the\nregister bitmap as initialized.  However, when NFT_EXTHDR_F_PRESENT\nis set, the eval paths write only 1 byte (nft_reg_store8) or\n4 bytes (*dest = 0 on TCP/DCCP error path).  When len > 4,\nregisters beyond the first are never written, retaining\nuninitialized stack data from nft_regs.\n\nBail out if userspace requests too much data when F_PRESENT is set.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:39","updated_at":"2026-06-25 09:16:39"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031","name":"https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6","name":"https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495","name":"https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53","name":"https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237","name":"https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265","name":"https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134","name":"https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f","name":"https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53218","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53218","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 19748967d59c31d24d21d40b728570788310b237 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 46fc15a044e9938e7ea77786fb37edd2cd74f031 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 cd513e43b4b2bd1de39e2367bc4261c699a8652f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 67b27434c43b68a97becda98c9f0c8cf6cba2134 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 78069a6d8bc86c9e036eb82c2af4a19cc1871a53 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 772cecf198da732faebb5dcfc46d66a505be8495 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/netfilter/nft_exthdr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"19748967d59c31d24d21d40b728570788310b237","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"46fc15a044e9938e7ea77786fb37edd2cd74f031","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"cd513e43b4b2bd1de39e2367bc4261c699a8652f","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"67b27434c43b68a97becda98c9f0c8cf6cba2134","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"78069a6d8bc86c9e036eb82c2af4a19cc1871a53","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"},{"lessThan":"772cecf198da732faebb5dcfc46d66a505be8495","status":"affected","version":"c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/netfilter/nft_exthdr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.11"},{"lessThan":"4.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"4.11","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n\nnft_exthdr_init() passes user-controlled priv->len to\nnft_parse_register_store(), which marks that many bytes in the\nregister bitmap as initialized.  However, when NFT_EXTHDR_F_PRESENT\nis set, the eval paths write only 1 byte (nft_reg_store8) or\n4 bytes (*dest = 0 on TCP/DCCP error path).  When len > 4,\nregisters beyond the first are never written, retaining\nuninitialized stack data from nft_regs.\n\nBail out if userspace requests too much data when F_PRESENT is set."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:21.069Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6"},{"url":"https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237"},{"url":"https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031"},{"url":"https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f"},{"url":"https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134"},{"url":"https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53"},{"url":"https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265"},{"url":"https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495"}],"title":"netfilter: nft_exthdr: fix register tracking for F_PRESENT flag","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53218","datePublished":"2026-06-25T08:39:21.069Z","dateReserved":"2026-06-09T07:44:35.392Z","dateUpdated":"2026-06-25T08:39:21.069Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:39","lastModifiedDate":"2026-06-25 09:16:39","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53218","Ordinal":"1","Title":"netfilter: nft_exthdr: fix register tracking for F_PRESENT flag","CVE":"CVE-2026-53218","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53218","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n\nnft_exthdr_init() passes user-controlled priv->len to\nnft_parse_register_store(), which marks that many bytes in the\nregister bitmap as initialized.  However, when NFT_EXTHDR_F_PRESENT\nis set, the eval paths write only 1 byte (nft_reg_store8) or\n4 bytes (*dest = 0 on TCP/DCCP error path).  When len > 4,\nregisters beyond the first are never written, retaining\nuninitialized stack data from nft_regs.\n\nBail out if userspace requests too much data when F_PRESENT is set.","Type":"Description","Title":"netfilter: nft_exthdr: fix register tracking for F_PRESENT flag"}]}}}