Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: bridge: make ebt_snat ARP rewrite writable

The ebtables SNAT target keeps the Ethernet source address rewrite
behind skb_ensure_writable(skb, 0). This is intentional: at the bridge
ebtables hooks the Ethernet header is addressed through
skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet
payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check
the payload, not the Ethernet header, and would reintroduce the small
packet regression fixed by commit 63137bc5882a.

However, the optional ARP sender hardware address rewrite is different.
It writes through skb_store_bits() at an offset relative to skb->data:

skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)

skb_header_pointer() only safely reads the ARP header; it does not make
the later sender hardware address range writable. If that range is
still held in a nonlinear skb fragment backed by a splice-imported file
page, skb_store_bits() maps the frag page and copies the new MAC address
directly into it.

Ensure the ARP SHA range is writable before reading the ARP header and
before calling skb_store_bits().
Published: 2026-06-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ebtables SNAT target can write the ARP sender hardware address without ensuring the target portion of the packet buffer is writable. When the packet data structure is non‑linear, this write occurs directly into a fragment’s backing page that may not be writable, creating an out‑of‑bounds write that corrupts kernel memory. Based on the description, this kernel memory corruption could allow an attacker who can manipulate ebtables rules to gain arbitrary write access to memory, potentially resulting in local privilege escalation.

Affected Systems

The flaw resides in the Linux kernel’s bridge ebtables implementation. All Linux distributions that run an unpatched Linux kernel built before the referenced commits are affected. No explicit version range is provided, so any host running a kernel older than the fix is susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, implying that it has not yet been publicly exploited. The attack vector is inferred to be local, requiring the ability to add or modify ebtables rules on the target host. While exploitation complexity appears moderate to high, the potential impact on confidentiality, integrity, and availability is severe if an attacker succeeds in corrupting kernel memory.

Generated by OpenCVE AI on June 28, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the operating system to a kernel version that includes the patch implementing writable ARP rewrite handling.
  • If an immediate update is not available, disable or limit ebtables SNAT functionality in bridge configuration or restrict rule manipulation to privileged users only.
  • As a last resort, manually apply the kernel patch from the vendor source, rebuild the kernel, and deploy the patched image.

Generated by OpenCVE AI on June 28, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Tue, 30 Jun 2026 00:45:00 +0000


Sun, 28 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-243

Sun, 28 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: make ebt_snat ARP rewrite writable The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a. However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data: skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it. Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits().
Title netfilter: bridge: make ebt_snat ARP rewrite writable
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:41:09.601Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53266

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:00:07Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-243

    Creation of chroot Jail Without Changing Working Directory