Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_fib: fix stale stack leak via the OIFNAME register

For NFT_FIB_RESULT_OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.

The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
while the eval stores a single byte via nft_reg_store8(), leaving the rest
of the declared span stale.

Fix both:

- replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
used on the other early-return path), and

- restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
destination as a single u8, so the marked span matches the one byte
the eval writes.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the nft_fib module of the Linux kernel’s netfilter subsystem, where a designated register span for the outgoing interface name (IFNAMSIZ bytes) is declared but only a single 32‑bit zero value is written during failure paths. The remaining registers retain whatever data was on the kernel stack at that time. Downstream nftables expressions that read the full span can expose this uninitialized data to userspace, revealing sensitive kernel stack content. A similar issue exists for the NFTA_FIB_F_PRESENT flag, where a single byte is stored into a larger declared span, again creating a stale memory area that can be read. This leads to a local information disclosure vulnerability via kernel stack leakage.

Affected Systems

Any Linux kernel released before the commits referenced in the advisory is susceptible. The advisory lists several commit hashes; any distribution kernel that has not incorporated those changes remains potentially vulnerable. Administrators should confirm whether their running kernel contains the patches starting with commit 3544210609f6d1db282bbdeca639104ef624c393 or equivalent, and update to the latest stable kernel release that includes them.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity assessment, and the EPSS score of <1% suggests a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a local user who crafts nftables rules that reference the OIFNAME register or the NFTA_FIB_F_PRESENT flag, allowing them to read the stale stack and leak uninitialized data; no public exploits are known. Because the flaw leaks uninitialized kernel stack data, an attacker could use this information to facilitate further attacks, but no direct remote code execution or privilege escalation is available. Prompt remediation is advisable due to the kernel‑level nature of the leak and the potential for future chaining attacks.

Generated by OpenCVE AI on June 26, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to a Linux kernel version that incorporates the commits cited in the advisory, thereby applying the nft_fib_store_result() patch and correcting the NFTA_FIB_F_PRESENT span.
  • Reboot the machine so the updated kernel becomes active.
  • If an immediate kernel upgrade is not possible, modify nftables configurations to avoid using the OIFNAME register or the NFTA_FIB_F_PRESENT flag in any rules, effectively eliminating the code paths that could expose uninitialized data.

Generated by OpenCVE AI on June 26, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-457

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-457

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_fib: fix stale stack leak via the OIFNAME register For NFT_FIB_RESULT_OIFNAME the destination register is declared with len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail, RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one register via "*dest = 0". The remaining three registers are left as whatever was on the stack in nft_do_chain()'s struct nft_regs, and a downstream expression that loads the register span can leak that uninitialised kernel stack to userspace. The NFTA_FIB_F_PRESENT existence check has the same shape: it is only meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type while the eval stores a single byte via nft_reg_store8(), leaving the rest of the declared span stale. Fix both: - replace the bare "*dest = 0" in the eval with nft_fib_store_result(), which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already used on the other early-return path), and - restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its destination as a single u8, so the marked span matches the one byte the eval writes.
Title netfilter: nft_fib: fix stale stack leak via the OIFNAME register
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:23.348Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53134

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53134 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:00:04Z

Weaknesses
  • CWE-824

    Access of Uninitialized Pointer