CVE-2026-52927
Received Received - Intake
Out-of-Bounds Read in Linux Kernel ebtables

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix OOB read in compat_mtw_from_user Luxiao Xu says: The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size. When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN. This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets. AFAIU this is relevant for matches that need to go though match->compat_from_user() call. Those that use plain memcpy with the user-provided size are ok because the caller checks that size vs the start of the next rule entry offset (which itself is checked vs. total size copied from userspace). The ->compat_from_user() callbacks assume they can read compatsize bytes, so they need this extra check. Based on an earlier patch from Luxiao Xu.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52927
EUVD
EUVD-2026-38730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netfilter ebtables *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter ebtables component, specifically in the function compat_mtw_from_user(). This function converts ebtables extensions from 32-bit user structures to kernel native structures but does not properly validate the user-supplied match_size and target_size.

If a user provides a size smaller than what the extension requires, the kernel's translation logic may perform out-of-bounds memory reads, which can lead to memory safety issues. The vulnerability was detected by KASAN (Kernel Address Sanitizer).

The fix ensures that match_size is at least as large as the extension's required size, preventing these out-of-bounds reads while maintaining compatibility with standard targets.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the kernel when processing certain ebtables extensions. Such memory safety issues may cause system instability, crashes, or potentially expose sensitive kernel memory contents.

While the description does not explicitly mention privilege escalation or remote code execution, out-of-bounds reads can be a stepping stone for attackers to gather information or cause denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart