Description
In the Linux kernel, the following vulnerability has been resolved:

macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF

macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but
macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1.
This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb
runs out of space, triggering a WARN_ON in rtnetlink and preventing the
interface from being dumped.

The bug can be reproduced with:

ip link add macvlan0 link eth0 type macvlan mode bridge
ip link set macvlan0 type macvlan bc_cutoff 0
ip -d link show macvlan0 # fails with -EMSGSIZE

The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add
netlink attribute for broadcast cutoff"), which added the nla_put_s32()
call in macvlan_fill_info() but missed adding the corresponding
nla_total_size(4) in macvlan_get_size(). A follow-up commit
55cef78c244d ("macvlan: add forgotten nla_policy for
IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still
did not fix the size calculation.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel routine that calculates the netlink message size for a macvlan interface fails to reserve space for the IFLA_MACVLAN_BC_CUTOFF attribute. When a macvlan interface is queried with bc_cutoff set to 0, the missing attribute is added during message construction, causing nla_put_s32 to return -EMSGSIZE. This triggers a WARN_ON in rtnetlink and prevents the kernel from dumping the interface information, breaking management tools that rely on retrieving interface details. The flaw does not provide arbitrary code execution but disrupts normal operation of macvlan interfaces, effectively denying access to interface metadata.

Affected Systems

The bug resides in the Linux kernel itself, affecting all distributions that ship a kernel version containing the unpatched code path. The problematic code was introduced with the addition of the bc_cutoff netlink attribute in newer kernel releases and was corrected by later patches. Consequently, any system running a kernel before the fix that uses macvlan interfaces with the bc_cutoff attribute may be impacted.

Risk and Exploitability

The CVSS score for this vulnerability is 5.5, indicating moderate severity. The EPSS score is <1%, suggesting a low probability of exploitation. The issue is not listed in CISA’s KEV catalog, implying no known widespread exploitation. Based on the description, it is inferred that an attacker with local privileges (CAP_NET_ADMIN or root) would need to send a netlink request that sets bc_cutoff to 0 while querying a macvlan interface. The missing size calculation leads to an -EMSGSIZE error in nla_put_s32, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped, resulting in a denial of service that blocks retrieval of macvlan interface details.

Generated by OpenCVE AI on June 27, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the running Linux kernel to a version that includes the 55cef78c244d patch or later.
  • Reconfigure existing macvlan interfaces to avoid setting bc_cutoff to 0 or any value other than 1, or remove the bc_cutoff attribute entirely until the patch is deployed.
  • Test that netlink queries for macvlan interfaces succeed after the upgrade or configuration change by running "ip -d link show <interface>".

Generated by OpenCVE AI on June 27, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.
Title macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:23.856Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53013

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:30:03Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-131

    Incorrect Calculation of Buffer Size