CVE-2026-53238
Received Received - Intake
Linux Kernel NetLabel Unlabeled Address Validation Flaw

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netlabel: validate unlabeled address and mask attribute lengths netlbl_unlabel_addrinfo_get() used the address attribute length to determine whether the attribute data could be read as an IPv4 or IPv6 address, but did not independently validate the corresponding mask attribute length. A crafted Generic Netlink request could therefore provide a valid IPv4/IPv6 address attribute with a shorter mask attribute, which would later be read as a full struct in_addr or struct in6_addr. NLA_BINARY policy lengths are maximum lengths by default, so use NLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask attributes. This rejects short attributes during policy validation and also exposes the exact length requirements through policy introspection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53238
EUVD
EUVD-2026-39329
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netlabel subsystem, specifically in how it validates address and mask attribute lengths.

The function netlbl_unlabel_addrinfo_get() used the length of the address attribute to decide if the data should be interpreted as an IPv4 or IPv6 address, but it did not separately validate the length of the corresponding mask attribute.

As a result, a crafted Generic Netlink request could provide a valid IPv4 or IPv6 address attribute but with a shorter-than-expected mask attribute. This shorter mask attribute would later be read as if it were a full IPv4 or IPv6 address structure, potentially causing incorrect behavior.

The fix involved using exact length validation (NLA_POLICY_EXACT_LEN()) for both the unlabeled IPv4/IPv6 address and mask attributes, rejecting any attributes that are shorter than expected during policy validation.

Impact Analysis

This vulnerability could allow an attacker to send specially crafted Generic Netlink requests with malformed mask attributes that are shorter than expected.

Because the mask attribute length was not properly validated, this could lead to the kernel reading invalid or incomplete data as if it were a full IPv4 or IPv6 address structure.

Such behavior might cause unexpected kernel behavior, potentially leading to memory corruption, crashes, or other security issues depending on how the malformed data is processed.

Mitigation Strategies

The vulnerability has been resolved by validating the exact lengths of unlabeled IPv4/IPv6 address and mask attributes using NLA_POLICY_EXACT_LEN() in the Linux kernel netlabel component.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix, ensuring that the netlabel component properly validates attribute lengths and rejects malformed Generic Netlink requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart