CVE-2026-53131 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: require Ethernet MAC header before using eth_hdr()

`ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and
`hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)`
after either assuming that the skb is associated with an Ethernet
device or checking only that the `ETH_HLEN` bytes at
`skb_mac_header(skb)` lie between `skb->head` and `skb->data`.

Make these paths first verify that the skb is associated with an
Ethernet device, that the MAC header was set, and that it spans at
least a full Ethernet header before accessing `eth_hdr(skb)`.

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, netfilter logic that extracts Ethernet headers via eth_hdr assumed the socket buffer was associated with an Ethernet device and that a full Ethernet header was present. The missing checks allowed a crafted packet to trigger an invalid memory access when the code used eth_hdr, potentially causing a kernel fault, data exposure or denial of service.

Affected Systems

The vulnerability affects all Linux kernel builds that include the netfilter modules ip6t_eui64, xt_mac, the ipset types bitmap:ip,mac, hash:ip,mac, hash:mac, and the nf_log_syslog feature. No specific kernel version is listed; any kernel exposing these modules before the applied patch is impacted.

Risk and Exploitability

There is no CVSS score or EPSS information available, but the flaw touches the kernel privilege level and can crash or corrupt kernel memory. Exploitation would involve delivering a specially crafted network packet that is processed by one of the affected netfilter modules. Although not listed in the CISA KEV catalog, the severity and potential impact make it a high‑risk issue. Attackers could achieve denial of service or, in rare cases, kernel memory disclosure if the fault occurs in a context that exposes sensitive data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4435888e1bf139d2bfe5911643d4217382136743
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 063f43361e884acd7300790e90194430275d0d0c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 726abf97566867f808fec9d8a408eb9698bd570a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 367abcacc13a8e2e7624408b7f593bd1e60e49d9
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5d634afb8b83b49de562792fd0d047416a43bd4d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cea435ea7e868ea6fdf039bc4f2090c1d829b556
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 62443dc21114c0bbc476fa62973db89743f2f137
`0`	affected	< 5.15.210
`0`	affected	< 6.1.176
`0`	affected	< 6.6.143
`0`	affected	< 6.12.94
`0`	affected	< 6.18.36
`0`	affected	< 7.0.13

Linux

affected

Version	Status	Constraints
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that contains the netfilter patch that checks for an Ethernet header before calling eth_hdr
If a kernel update is not immediately available, temporarily disable the netfilter modules that use eth_hdr (ip6t_eui64, xt_mac, hash:mac, hash:ip,mac, bitmap:ip,mac, nf_log_syslog) or remove them from the running configuration
Apply any vendor‑specific workarounds or advisories that recommend resetting the MAC header or validating skb->mac_header before processing packets

Generated by OpenCVE AI on June 25, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/063f43361e884acd7300790e90194430275d0d0c
https://git.kernel.org/stable/c/367abcacc13a8e2e7624408b7f593bd1e60e49d9
https://git.kernel.org/stable/c/4435888e1bf139d2bfe5911643d4217382136743
https://git.kernel.org/stable/c/5d634afb8b83b49de562792fd0d047416a43bd4d
https://git.kernel.org/stable/c/62443dc21114c0bbc476fa62973db89743f2f137
https://git.kernel.org/stable/c/726abf97566867f808fec9d8a408eb9698bd570a
https://git.kernel.org/stable/c/cea435ea7e868ea6fdf039bc4f2090c1d829b556

History

Thu, 25 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.
Title		netfilter: require Ethernet MAC header before using eth_hdr()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/063f43361e884acd7300790e90194430275d0d0c https://git.kernel.org/stable/c/367abcacc13a8e2e7624408b7f593bd1e60e49d9 https://git.kernel.org/stable/c/4435888e1bf139d2bfe5911643d4217382136743 https://git.kernel.org/stable/c/5d634afb8b83b49de562792fd0d047416a43bd4d https://git.kernel.org/stable/c/62443dc21114c0bbc476fa62973db89743f2f137 https://git.kernel.org/stable/c/726abf97566867f808fec9d8a408eb9698bd570a https://git.kernel.org/stable/c/cea435ea7e868ea6fdf039bc4f2090c1d829b556

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:20.489Z

Updated: 2026-06-25T08:38:20.489Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53131

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T10:30:17Z

Weaknesses

CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object