CVE-2026-53218 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_exthdr: fix register tracking for F_PRESENT flag

nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.

Bail out if userspace requests too much data when F_PRESENT is set.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s netfilter framework, the nft_exthdr component incorrectly tracks the initialization status of registers. When the F_PRESENT flag is set, nft_exthdr_init passes a user supplied length to nft_parse_register_store, marking that many registers as initialized. The subsequent evaluation path only writes one or a few bytes, but the registered bitmap remains marked as initialized beyond that point. Consequently, registers beyond the first are never written, leaving uninitialized stack data in nft_regs, which can be read by attackers and can expose sensitive information within the kernel.

Affected Systems

All Linux kernel builds that include the nft_exthdr extension without the patch are affected. The specific version range is not enumerated, but any kernel release containing the unpatched nft_exthdr code is vulnerable.

Risk and Exploitability

Because the flaw deals with uninitialized registers, an attacker could potentially extract kernel memory contents or influence further kernel behavior. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation has been observed. The CVSS score is unspecified in the advisory, but the nature of the bug indicates a moderate to high severity for kernel‑privileged attackers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 19748967d59c31d24d21d40b728570788310b237
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 46fc15a044e9938e7ea77786fb37edd2cd74f031
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< cd513e43b4b2bd1de39e2367bc4261c699a8652f
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 67b27434c43b68a97becda98c9f0c8cf6cba2134
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 78069a6d8bc86c9e036eb82c2af4a19cc1871a53
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 772cecf198da732faebb5dcfc46d66a505be8495

Linux

affected

Version	Status	Constraints
`4.11`	affected	—
`0`	unaffected	< 4.11
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that resolves the bookkeeping issue for the nft_exthdr component (upgrade to a kernel release that includes the fix).
If patching is not feasible immediately, disable the nft_exthdr extension or avoid using the F_PRESENT flag in netfilter rules.
As a temporary measure, limit the length parameter passed by user‑space to 4 bytes when using the F_PRESENT flag so that only the bytes that are correctly written are accessed.

Generated by OpenCVE AI on June 25, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237
https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031
https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134
https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495
https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53
https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f
https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265

History

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs. Bail out if userspace requests too much data when F_PRESENT is set.
Title		netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237 https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031 https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134 https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495 https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53 https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6 https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:21.069Z

Updated: 2026-06-25T08:39:21.069Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53218

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses

CWE-457
Use of Uninitialized Variable

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object