CVE-2026-52942
Analyzed Analyzed - Analysis Complete

Buffer Overread in Linux Kernel Netfilter nf_log

Vulnerability report for CVE-2026-52942, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_log: validate MAC header was set before dumping it The fallback path of dump_mac_header() guards the MAC header access only with "skb->mac_header != skb->network_header", without checking skb_mac_header_was_set(). When the MAC header is unset, mac_header is 0xffff, so the test passes and skb_mac_header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via the netdev logger: nf_log_unknown_packet() calls dump_mac_header() unconditionally, and an skb sent through AF_PACKET with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still unset (__dev_queue_xmit(), which would reset it, is bypassed). Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already uses, and replace the open-coded MAC header length test with skb_mac_header_len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before. BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan_report (mm/kasan/report.c:595) dump_mac_header (net/netfilter/nf_log_syslog.c:831) nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963) nf_log_packet (net/netfilter/nf_log.c:260) nft_log_eval (net/netfilter/nft_log.c:60) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307) nf_hook_slow (net/netfilter/core.c:619) nf_hook_direct_egress (net/packet/af_packet.c:257) packet_xmit (net/packet/af_packet.c:280) packet_sendmsg (net/packet/af_packet.c:3114) __sys_sendto (net/socket.c:2265)

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 2.6.36 (inc) to 5.15.210 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter logging component (nf_log). It occurs because the code attempts to dump the MAC header without properly verifying if the MAC header was set. Specifically, the fallback path in dump_mac_header() only checks if the MAC header pointer differs from the network header pointer, but does not confirm if the MAC header was actually set.

When the MAC header is unset, its value is 0xffff, which causes the check to pass incorrectly. As a result, the function reads memory about 64 KiB past the intended buffer boundary, leading to an out-of-bounds read. This happens when packets are sent through AF_PACKET with PACKET_QDISC_BYPASS, bypassing the usual reset of the MAC header.

The issue was fixed by adding a proper check to ensure the MAC header was set before accessing it, preventing the out-of-bounds read.

Impact Analysis

This vulnerability can cause the Linux kernel to read memory out of bounds when logging network packets, which may lead to kernel crashes or instability due to memory corruption.

An attacker could potentially exploit this flaw to cause denial of service (DoS) by triggering kernel crashes through specially crafted network packets.

While the description does not explicitly mention privilege escalation or code execution, out-of-bounds reads in kernel space can sometimes be leveraged for further attacks depending on the system context.

Detection Guidance

This vulnerability involves out-of-bounds reads in the Linux kernel's netfilter logging code when the MAC header is unset. Detection would typically involve monitoring kernel logs for related error messages such as KASAN slab-out-of-bounds reports referencing dump_mac_header or nf_log_syslog.c.

Since the issue occurs during packet logging via netdev logger and AF_PACKET sockets with PACKET_QDISC_BYPASS, you can check for suspicious packets or attempts to send packets through AF_PACKET sockets with this flag set.

However, no specific commands or detection tools are provided in the available information.

Mitigation Strategies

The vulnerability has been resolved by adding a check to ensure the MAC header was set before accessing it in the kernel logging code. Immediate mitigation steps would include updating the Linux kernel to a version that includes this fix.

Until the kernel is updated, consider restricting or monitoring the use of AF_PACKET sockets with PACKET_QDISC_BYPASS to reduce the risk of triggering the vulnerability.

No other specific mitigation commands or workarounds are provided in the available information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart