CVE-2026-53266
Received Received - Intake
Linux Kernel ARP Rewrite Writeability Vulnerability

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: make ebt_snat ARP rewrite writable The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a. However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data: skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it. Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53266
EUVD
EUVD-2026-39217
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter bridge component, specifically in the ebtables SNAT target that rewrites Ethernet source addresses. The issue arises because the ARP sender hardware address rewrite is performed without ensuring that the memory region is writable. The code uses skb_store_bits() to write the new MAC address directly into a memory fragment that may be non-writable, potentially causing incorrect behavior or memory corruption. The fix ensures that the ARP sender hardware address range is made writable before performing the rewrite.

Impact Analysis

This vulnerability can lead to improper handling of ARP sender hardware address rewrites in network bridging scenarios. If exploited or triggered, it may cause memory corruption or unexpected behavior in the network stack, potentially leading to system instability or crashes. This could affect network reliability and security on systems using the affected Linux kernel versions.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by ensuring the ARP sender hardware address rewrite is made writable before modification. Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart