Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register

NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.

Zero the second register before the memcpy so the full declared span is
written.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel netfilter nft_meta_bridge subsystem causes a stale stack leak via the IIFHWADDR register. The destination register is declared to hold 6 bytes but the kernel rounds it to 8 bytes. A memcpy then copies only 6 bytes from the bridge device address, leaving the upper two bytes of the register uninitialized on the stack. Those stale bytes are later loaded by nft_do_chain() and can be read by userspace, leaking sensitive data from kernel memory.

Affected Systems

All Linux kernel releases before the inclusion of commit 07acb979 are affected. Any kernel that contains nft_meta_bridge for bridge interfaces and implements the legacy IIFHWADDR register handling is vulnerable. This includes mainstream distributions whose kernels ship without the patch.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating moderate severity, and an EPSS score of less than 1%, implying a very low exploitation probability. It requires local or privileged execution of nftables commands against the target kernel, making remote exploitation unlikely without further privilege escalation. The bug is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. Nonetheless, the ability to read arbitrary kernel memory is concerning, so the risk is considered moderate but potentially impactful if an attacker can gain local access.

Generated by OpenCVE AI on June 26, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the fix for commit 07acb979, which zeroes the second register before the memcpy, removing the stale bytes.
  • If no official kernel update is available, apply the patch corresponding to commit 07acb979 to your kernel source and rebuild the kernel.
  • Reboot the system to load the patched kernel and ensure the nft_meta_bridge module is running from the updated code.

Generated by OpenCVE AI on June 26, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register NFT_META_BRI_IIFHWADDR declares its destination register with len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and leaving the upper 2 bytes of the second register as uninitialised nft_do_chain() stack. A downstream load of that register span leaks those stale bytes to userspace. Zero the second register before the memcpy so the full declared span is written.
Title netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:16.234Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53211

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53211 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:45:02Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size