Impact
A flaw in the Linux kernel netfilter nft_meta_bridge subsystem causes a stale stack leak via the IIFHWADDR register. The destination register is declared to hold 6 bytes but the kernel rounds it to 8 bytes. A memcpy then copies only 6 bytes from the bridge device address, leaving the upper two bytes of the register uninitialized on the stack. Those stale bytes are later loaded by nft_do_chain() and can be read by userspace, leaking sensitive data from kernel memory.
Affected Systems
All Linux kernel releases before the inclusion of commit 07acb979 are affected. Any kernel that contains nft_meta_bridge for bridge interfaces and implements the legacy IIFHWADDR register handling is vulnerable. This includes mainstream distributions whose kernels ship without the patch.
Risk and Exploitability
The vulnerability has a CVSS score of 5.5, indicating moderate severity, and an EPSS score of less than 1%, implying a very low exploitation probability. It requires local or privileged execution of nftables commands against the target kernel, making remote exploitation unlikely without further privilege escalation. The bug is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. Nonetheless, the ability to read arbitrary kernel memory is concerning, so the risk is considered moderate but potentially impactful if an attacker can gain local access.
OpenCVE Enrichment