Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: avoid leaking percpu counter pointers

The native and compat get-entries paths copy the fixed rule entry header
from the kernelized rule blob to userspace before overwriting the entry's
counter fields with a sanitized counter snapshot.

On SMP kernels, entry->counters.pcnt contains the percpu allocation
address used by x_tables rule counters. A caller can provide a userspace
buffer that faults during the initial fixed-header copy after pcnt has
been copied but before the later sanitized counter copy runs. The syscall
then returns -EFAULT while leaving the raw percpu pointer in userspace.

Copy only the fixed entry prefix before counters from the kernelized rule
blob, then copy the sanitized counter snapshot into the counter field.
Apply this ordering to the IPv4, IPv6, and ARP native and compat
get-entries implementations so a fault cannot expose the internal percpu
counter pointer.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Linux kernel versions before commit 08a3e218064db11f154ad9ad5541751ea7f34ebe, the netfilter x_tables get‑entries implementation copies a per‑CPU counter pointer from kernel space to a userspace buffer before sanitizing the pointer. On SMP systems, this behavior allows a local user to trigger a fault during the copy and receive the raw kernel pointer in userspace, resulting in a data exposure vulnerability consistent with CWE‑1098.

Affected Systems

All Linux kernel installations running a kernel older than the commit that added the fix are vulnerable. The patch was merged into mainline on the commit date, so any kernel version newer than that is considered non‑vulnerable.

Risk and Exploitability

The vulnerability is local and requires the ability to execute a get‑entries system call, which is typically available to any regular user. The EPSS score indicates an exploitation probability of less than 1 %. The CVSS score of 5.5 denotes a moderate impact. Because the leak provides a raw kernel memory address, an attacker could leverage it in a chained exploit to aid privilege escalation, but a direct full compromise requires additional kernel vulnerabilities or code execution primitives. The vulnerability is not listed in CISA KEV, so no widespread exploitation has been reported.

Generated by OpenCVE AI on June 26, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains commit 08a3e218064db11f154ad9ad5541751ea7f34ebe or later, which corrects the counter copying order.
  • Reboot the system after upgrading to load the new kernel and activate the fix.
  • If an immediate kernel upgrade is not possible, disable or restrict any utilities that invoke the vulnerable get‑entries path (e.g., iptables, nft) until the kernel can be updated.

Generated by OpenCVE AI on June 26, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1098
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: avoid leaking percpu counter pointers The native and compat get-entries paths copy the fixed rule entry header from the kernelized rule blob to userspace before overwriting the entry's counter fields with a sanitized counter snapshot. On SMP kernels, entry->counters.pcnt contains the percpu allocation address used by x_tables rule counters. A caller can provide a userspace buffer that faults during the initial fixed-header copy after pcnt has been copied but before the later sanitized counter copy runs. The syscall then returns -EFAULT while leaving the raw percpu pointer in userspace. Copy only the fixed entry prefix before counters from the kernelized rule blob, then copy the sanitized counter snapshot into the counter field. Apply this ordering to the IPv4, IPv6, and ARP native and compat get-entries implementations so a fault cannot expose the internal percpu counter pointer.
Title netfilter: x_tables: avoid leaking percpu counter pointers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:21.730Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53219

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53219 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T05:45:04Z

Weaknesses
  • CWE-1098

    Data Element containing Pointer Item without Proper Copy Control Element