Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xtables: restrict several matches to inet family

This is a partial revert of:

commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")

to allow ipv4 and ipv6 only.

- xt_mac
- xt_owner
- xt_physdev

These extensions are not used by ebtables in userspace.

Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel patch limits the use of several iptables extensions—xt_mac, xt_owner, and xt_physdev—to the inet family, preventing them from being applied to non‑IPv4/IPv6 protocols. This change is a corrective measure rather than an introduction of a new vulnerability; it reduces the potential for mis protocol families. The fix thereby stabilizes firewall rule processing without providing a new attack surface such as remote code execution or data exfiltration.

Affected Systems

All Linux kernel deployments are impacted because the change is applied globally in the kernel source tree. The patched code applies to all Linux distributions that ship the updated kernel; no specific vendor or version is listed, so any system running a newer kernel receiving this commit will include the restriction.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate level of security impact. The EPSS score is < 1%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating lower exploitation likelihood. The likely attack vector is through misuse of iptables rules that reference the affected extensions with a protocol other than IPv4 or IPv6, but this is considered a misconfiguration rather than an exploitable flaw. As a result, the overall risk remains low, and monitoring for rule compatibility is sufficient.

Generated by OpenCVE AI on June 26, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes this patch to ensure the extensions are correctly restricted to the inet family.
  • If using ebtables, remove any reliance on xt_mac, xt_owner, or xt_physdev, as these extensions are not used in users‑space ebtables.
  • Review and adjust firewall rules to specify the inet family explicitly for the affected extensions, thereby maintaining compatibility after the kernel upgrade.

Generated by OpenCVE AI on June 26, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-632

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-632

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict several matches to inet family This is a partial revert of: commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") to allow ipv4 and ipv6 only. - xt_mac - xt_owner - xt_physdev These extensions are not used by ebtables in userspace. Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4 specific.
Title netfilter: xtables: restrict several matches to inet family
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:13.513Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-53001

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:00:07Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization