{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52942", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.370Z", "datePublished": "2026-06-24T07:14:30.610Z", "dateUpdated": "2026-06-24T07:14:30.610Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T07:14:30.610Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_log: validate MAC header was set before dumping it\n\nThe fallback path of dump_mac_header() guards the MAC header access\nonly with \"skb->mac_header != skb->network_header\", without checking\nskb_mac_header_was_set(). When the MAC header is unset, mac_header is\n0xffff, so the test passes and skb_mac_header(skb) returns\nskb->head + 0xffff, ~64 KiB past the buffer; the loop then reads\ndev->hard_header_len bytes out of bounds into the kernel log.\n\nThis is reachable via the netdev logger: nf_log_unknown_packet() calls\ndump_mac_header() unconditionally, and an skb sent through AF_PACKET\nwith PACKET_QDISC_BYPASS reaches the egress hook with mac_header still\nunset (__dev_queue_xmit(), which would reset it, is bypassed).\n\nAdd the skb_mac_header_was_set() check the ARPHRD_ETHER path already\nuses, and replace the open-coded MAC header length test with\nskb_mac_header_len(). Only skbs with an unset MAC header are affected;\nvalid ones are dumped as before.\n\n BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n Read of size 1 at addr ffff88800ea49d3f by task exploit/148\n Call Trace:\n kasan_report (mm/kasan/report.c:595)\n dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)\n nf_log_packet (net/netfilter/nf_log.c:260)\n nft_log_eval (net/netfilter/nft_log.c:60)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)\n nf_hook_slow (net/netfilter/core.c:619)\n nf_hook_direct_egress (net/packet/af_packet.c:257)\n packet_xmit (net/packet/af_packet.c:280)\n packet_sendmsg (net/packet/af_packet.c:3114)\n __sys_sendto (net/socket.c:2265)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_log_syslog.c"], "versions": [{"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "d704ee9c7bc68a161684c51a7ac05b446dcf38d4", "status": "affected", "versionType": "git"}, {"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "befb8968a2abdfa948d5600ea7f7a509a292a590", "status": "affected", "versionType": "git"}, {"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "8a81e336da685423f5b64aac4d571e63d674c52a", "status": "affected", "versionType": "git"}, {"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "c38d41134085193efd5b237cf513ad5b3421a60d", "status": "affected", "versionType": "git"}, {"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "af1b7699466f6556b351fa25d3dc870abfb5d310", "status": "affected", "versionType": "git"}, {"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "65ef7397eb9a296e91839f5fd10be96f23d332e7", "status": "affected", "versionType": "git"}, {"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7", "lessThan": "a84b6fedbc97078788be78dbdd7517d143ad1a77", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_log_syslog.c"], "versions": [{"version": "2.6.36", "status": "affected"}, {"version": "0", "lessThan": "2.6.36", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.210", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.176", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.143", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.94", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.36", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.13", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "5.15.210"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.1.176"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.6.143"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.12.94"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.18.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "7.0.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4"}, {"url": "https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590"}, {"url": "https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a"}, {"url": "https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d"}, {"url": "https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310"}, {"url": "https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7"}, {"url": "https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77"}], "title": "netfilter: nf_log: validate MAC header was set before dumping it", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{}

{}