CVE-2026-53267
Received Received - Intake
Heap Overflow in Linux Kernel Netfilter nft_ct Module

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: bail out on template ct in get eval I noticed this issue while looking at a historic syzbot report [1]. A rule like the one below is enough to trigger the bug: table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } } The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers. Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack. [1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53267
EUVD
EUVD-2026-39218
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter nft_ct component. It occurs when a template connection tracking (ct) object is mistakenly treated as a real ct during evaluation, leading to a buffer overflow on the kernel stack. Specifically, a crafted nftables rule can trigger this bug by attaching a per-CPU template ct and then evaluating it improperly, causing a 16-byte memcpy operation to overflow past the allocated nft_regs structure or silently overwrite adjacent registers.

The issue arises because the code does not properly reject template ct objects at evaluation entry points, allowing unsafe memory operations. The fix involves rejecting template ct objects during evaluation and bounding memory copies by validated lengths rather than untrusted fields.

Impact Analysis

This vulnerability can lead to a stack buffer overflow in the Linux kernel, which may cause memory corruption. Such corruption can result in system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Because the overflow can overwrite adjacent kernel memory, it poses a risk of privilege escalation or denial of service, depending on how the corrupted memory is used.

Detection Guidance

This vulnerability can be triggered by a specific nftables rule involving connection tracking (ct) templates. To detect if your system is vulnerable, you can check for nftables rules similar to the example below that use 'ct zone set' and 'ct original saddr' expressions:

  • table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } }

You can list your current nftables rules using the command: nft list ruleset

Look specifically for rules that use connection tracking expressions like 'ct zone set' and 'ct original saddr' which may trigger the bug.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid using nftables rules that attach per-cpu template connection tracking (ct) entries as shown in the example rule.

Specifically, do not use rules that combine 'ct zone set' with 'ct original saddr' or similar ct template expressions that can trigger the bug.

Additionally, update your Linux kernel to a version where this issue has been resolved, as the fix involves rejecting template ct at evaluation entry points and bounding address copies safely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart