Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: require Ethernet MAC header before using eth_hdr()

`ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and
`hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)`
after either assuming that the skb is associated with an Ethernet
device or checking only that the `ETH_HLEN` bytes at
`skb_mac_header(skb)` lie between `skb->head` and `skb->data`.

Make these paths first verify that the skb is associated with an
Ethernet device, that the MAC header was set, and that it spans at
least a full Ethernet header before accessing `eth_hdr(skb)`.
Published: 2026-06-25
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the netfilter processing logic for Ethernet headers incorrectly assumed that the socket buffer always had a valid Ethernet MAC header and performed a direct eth_hdr(skb) access. This oversight allowed crafted packets that lacked a proper MAC header or had an invalid pointer to read memory outside the intended bounds, leading to an out‑of‑bounds read and potentially a kernel crash. Attackers could trigger this error by sending specially crafted network frames that bypass normal packet validation causing denial of service.

Affected Systems

Affected systems are Linux kernels that ship with the netfilter modules ip6t_eui64, xt_mac, and ipset types bitmap:ip,mac, hash:ip,mac, hash:mac, plus the nf_log_syslog feature. The CPE specification indicates the impact spans all Linux kernel releases; any build that includes these modules before the patch is vulnerable.

Risk and Exploitability

The CVSS score of 9.4 reflects critical severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability does not appear in the CISA KEV catalog. Based on the description, an attacker could deliver malicious network packets that reach the vulnerable netfilter components, leading to a kernel crash and denial of service.

Generated by OpenCVE AI on June 28, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the netfilter patch that verifies the presence of an Ethernet MAC header before calling eth_hdr
  • If a kernel update is not yet available, disable or unload the problematic modules that rely on eth_hdr such as ip6t_eui64, xt_mac, the ipset types bitmap:ip,mac, hash:ip,mac, hash:mac, and nf_log_syslog
  • Apply additional network filtering or firewall rules so that only trusted traffic reaches the netfilter modules, reducing the window of opportunity for an attacker

Generated by OpenCVE AI on June 28, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H'}


Fri, 26 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.
Title netfilter: require Ethernet MAC header before using eth_hdr()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-29T04:18:50.562Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53131

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53131 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses