CVE-2026-53219
Received Received - Intake
Information Leak in Linux Kernel x_tables

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: avoid leaking percpu counter pointers The native and compat get-entries paths copy the fixed rule entry header from the kernelized rule blob to userspace before overwriting the entry's counter fields with a sanitized counter snapshot. On SMP kernels, entry->counters.pcnt contains the percpu allocation address used by x_tables rule counters. A caller can provide a userspace buffer that faults during the initial fixed-header copy after pcnt has been copied but before the later sanitized counter copy runs. The syscall then returns -EFAULT while leaving the raw percpu pointer in userspace. Copy only the fixed entry prefix before counters from the kernelized rule blob, then copy the sanitized counter snapshot into the counter field. Apply this ordering to the IPv4, IPv6, and ARP native and compat get-entries implementations so a fault cannot expose the internal percpu counter pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53219
EUVD
EUVD-2026-39310
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel to 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (inc)
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to leaking of internal kernel memory pointers (percpu counter pointers) to userspace. Such information leaks can potentially be used by attackers to gain insights into kernel memory layout, which may aid in further exploitation such as privilege escalation or bypassing security mechanisms. Although the vulnerability does not directly allow code execution or data modification, leaking kernel pointers can weaken system security by providing attackers with sensitive information about kernel internals.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by changing the way the netfilter x_tables get-entries paths copy rule entries to userspace, preventing leaking of percpu counter pointers.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter x_tables component. It involves the way rule entries and their counters are copied from kernel space to userspace. Specifically, on SMP (Symmetric Multi-Processing) kernels, a pointer to a per-CPU counter allocation (percpu pointer) can be leaked to userspace if a userspace buffer faults during the copying process. This happens because the kernel copies the fixed rule entry header, including the percpu pointer, before overwriting the counter fields with sanitized data. If a fault occurs after the pointer is copied but before the sanitized counters are copied, the raw percpu pointer remains exposed in userspace. The fix involves changing the copy order to ensure only the fixed entry prefix is copied before counters, and then the sanitized counter snapshot is copied, preventing exposure of internal kernel pointers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart