Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir

In tcf_blockcast_redir(), when iterating block ports to redirect
packets to multiple devices, the mac_header_xmit flag is queried
from the wrong device. The loop sends to dev_prev but queries
dev_is_mac_header_xmit(dev) — which is the NEXT device in the
iteration, not the one being sent to.

This causes tcf_mirred_to_dev() to make incorrect decisions about
whether to push or pull the MAC header. When the block contains
mixed device types (e.g., an ethernet veth and a tunnel device),
intermediate devices get the wrong mac_header_xmit flag, leading to
skb header corruption. In the worst case, skb_push_rcsum with an
incorrect mac_len can exhaust headroom and panic.

The last device in the loop is handled correctly (line 365-366 uses
dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste
oversight for the intermediate devices.

Fix by using dev_prev instead of dev for the mac_header_xmit query,
consistent with the device actually being sent to.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in Linux kernel traffic‑control mirred logic causes the wrong network device to be queried for mac_header_xmit when redirecting packets to multiple devices. This mis‑retrieval leads to incorrect MAC header handling, resulting in skb header corruption, headroom exhaustion, and a potential kernel panic— a denial‑of‑service impact.

Affected Systems

The vulnerability affects the Linux kernel itself. All distributions shipping kernel versions that contain the buggy tcf_blockcast_redir logic are potentially impacted; any release prior to the patch that implements the corrected device check is vulnerable.

Risk and Exploitability

The bug represents a buffer misuse (CWE‑805) and can cause a complete kernel crash when traffic is routed through a mirred block with mixed device types. The CVSS score of 5.5 indicates medium impact severity. The EPSS score (< 1 %) and absence from the CISA KEV catalog suggest low current exploitation probability, but the severity of a kernel panic warrants prompt remediation. An attacker could trigger the flaw by crafting traffic that flows through a vulnerable mirred block, either from a local source or via a compromised network path that can influence packet handling.

Generated by OpenCVE AI on June 26, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that corrects the tcf_blockcast_redir mac_header_xmit check, addressing the incorrect buffer usage described by CWE‑805.
  • Upgrade to a Linux kernel release that incorporates the fix, or rebuild the kernel with the patch to correct the buffer boundary error.
  • If a patch or updated kernel is not yet available, disable mirred/tcf_blockcast_redir functionality or limit mirred blocks to device types that share the same mac_header_xmit flag to avoid the buffer misuse scenario associated with CWE‑805.

Generated by OpenCVE AI on June 26, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) — which is the NEXT device in the iteration, not the one being sent to. This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic. The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices. Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.
Title net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:24.605Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53014

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53014 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:15:11Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value