Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ebtables: fix OOB read in compat_mtw_from_user

Luxiao Xu says:

The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.

When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.

This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.

AFAIU this is relevant for matches that need to go though
match->compat_from_user() call. Those that use plain memcpy with the
user-provided size are ok because the caller checks that size vs the
start of the next rule entry offset (which itself is checked vs. total
size copied from userspace).

The ->compat_from_user() callbacks assume they can read compatsize bytes,
so they need this extra check.

Based on an earlier patch from Luxiao Xu.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel's ebtables module where the function compat_mtw_from_user converts user‑supplied 32‑bit ebtables extensions to kernel structures without verifying that the supplied match_size or target_size meet the extension’s required size. If an attacker supplies a size smaller than required, the kernel performs an out‑of‑bounds read, exposing kernel data as reported by KASAN. This flaw can lead to leakage of sensitive information from kernel memory. Based on the description, the primary impact is information disclosure through a memory read beyond bounds.

Affected Systems

The flaw exists in all Linux kernel releases that include the ebtables netfilter module prior to the applied patch. Vendors affected are Linux:Linux; any kernel version running ebtables without the provision of the latest security updates may be vulnerable. No specific product sub‑version list is provided, so all affected kernels before the patch are included.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is an out‑of‑bounds read caused by missing input validation, implying that an attacker with knowledge of the ebtables user‑space interface could trigger the fault. The likely attack vector is through the ebtables command‑line tool or library, which could be invoked by an unprivileged or partially privileged user. These conditions make the risk high, especially in multi‑tenant environments where untrusted code may invoke ebtables. While the exploitation may be difficult without an exploit chain, the potential for data leakage warrants immediate remediation.

Generated by OpenCVE AI on June 28, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the running kernel to a version that includes the patch fixing compat_mtw_from_user input size validation
  • Restrict the use of ebtables or its extensions to trusted users or disable them entirely if not required
  • Monitor kernel logs for KASAN or similar memory corruption messages and investigate any anomalous read attempts

Generated by OpenCVE AI on June 28, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-20

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-20

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix OOB read in compat_mtw_from_user Luxiao Xu says: The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size. When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN. This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets. AFAIU this is relevant for matches that need to go though match->compat_from_user() call. Those that use plain memcpy with the user-provided size are ok because the caller checks that size vs the start of the next rule entry offset (which itself is checked vs. total size copied from userspace). The ->compat_from_user() callbacks assume they can read compatsize bytes, so they need this extra check. Based on an earlier patch from Luxiao Xu.
Title netfilter: ebtables: fix OOB read in compat_mtw_from_user
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:48.195Z

Reserved: 2026-06-09T07:44:35.368Z

Link: CVE-2026-52927

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52927 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input