CVE-2026-53014
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) β€” which is the NEXT device in the iteration, not the one being sent to. This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic. The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices. Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53014
EUVD
EUVD-2026-38882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduler component, specifically in the act_mirred module within the tcf_blockcast_redir() function.

When redirecting packets to multiple devices, the code incorrectly queries the mac_header_xmit flag from the wrong device in the iteration loop. It checks the flag on the next device instead of the current device being sent to.

This mistake causes incorrect decisions about whether to push or pull the MAC header on packets, which can lead to corruption of the socket buffer (skb) header when the block contains mixed device types like ethernet veth and tunnel devices.

In the worst case, this can exhaust the packet's headroom and cause a kernel panic.

The fix involves querying the mac_header_xmit flag from the correct device (dev_prev) consistent with the device actually being sent to.

Impact Analysis

This vulnerability can cause corruption of network packet headers when packets are redirected across multiple network devices of different types.

Such corruption may lead to network communication errors or instability in the Linux kernel's networking stack.

In the worst case, it can cause the kernel to panic, resulting in system crashes and potential downtime.

Mitigation Strategies

The vulnerability is fixed by correcting the device used for the mac_header_xmit check in the Linux kernel's net/sched act_mirred module. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

  • Identify your current Linux kernel version.
  • Check for available kernel updates from your distribution that address this issue.
  • Apply the kernel update and reboot the system to load the patched kernel.

Until the update is applied, avoid configurations that mix device types (e.g., ethernet veth and tunnel devices) in block ports that use tcf_blockcast_redir, as this can trigger the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart