Impact
The Linux kernel contains a bug in the netfilter nf_log subsystem where the function dump_mac_header can be triggered without first verifying that the MAC header has been set. When an SKB with an unset MAC header passes through a specific code path, the function reads memory past the packet buffer because the 0xffff value in skb->mac_header is incorrectly accepted as a valid offset. This out-of-bounds read allows data from beyond the packet buffer to be written into the kernel log, potentially exposing sensitive kernel memory contents. This error corresponds to CWE-125, an out-of-bounds read weakness.
Affected Systems
This vulnerability affects all Linux kernel releases that include the unpatched nf_log implementation. The patch was introduced in later kernel commits, but versions prior to that remain vulnerable. Because the flaw is present at the core of the kernel networking stack, virtually any Linux distribution running an affected kernel is at risk, regardless of userland configuration. No specific vendor product versions are listed in the CNA data, so the safest assumption is that any kernel that has not applied the commit is affected.
Risk and Exploitability
The CVSS score is 7.1, but the EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating that no widely documented exploit exists at the time of this analysis. The described exploitation path involves sending packets via AF_PACKET with the PACKET_QDISC_BYPASS flag to reach the egress hook before the MAC header is automatically set. The level of privilege or control required for this is not explicitly documented and is inferred. Consequently, the likelihood of exploitation in the wild is low, but the severity of the memory leakage warrants immediate patching or mitigation to prevent potential kernel data exposure.
OpenCVE Enrichment
Debian DLA