Impact
The ebtables SNAT target can write the ARP sender hardware address without ensuring the target portion of the packet buffer is writable. When the packet data structure is non‑linear, this write occurs directly into a fragment’s backing page that may not be writable, creating an out‑of‑bounds write that corrupts kernel memory. Based on the description, this kernel memory corruption could allow an attacker who can manipulate ebtables rules to gain arbitrary write access to memory, potentially resulting in local privilege escalation.
Affected Systems
The flaw resides in the Linux kernel’s bridge ebtables implementation. All Linux distributions that run an unpatched Linux kernel built before the referenced commits are affected. No explicit version range is provided, so any host running a kernel older than the fix is susceptible.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, implying that it has not yet been publicly exploited. The attack vector is inferred to be local, requiring the ability to add or modify ebtables rules on the target host. While exploitation complexity appears moderate to high, the potential impact on confidentiality, integrity, and availability is severe if an attacker succeeds in corrupting kernel memory.
OpenCVE Enrichment
Debian DLA