Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: bail out on template ct in get eval

I noticed this issue while looking at a historic syzbot report [1].

A rule like the one below is enough to trigger the bug:

table ip t {
chain pre {
type filter hook prerouting priority raw;
ct zone set 1
ct original saddr 1.2.3.4 accept
}
}

The first expression attaches a per-cpu template ct via
nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all
zero, nf_ct_l3num(ct) == 0). The next expression then calls
nft_ct_get_eval() on the same skb, treats the template as a real ct
and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this
overflows past struct nft_regs on the kernel stack; with smaller
dreg values it silently clobbers adjacent registers.

Reject template ct at the eval entry and in nft_ct_get_fast_eval(),
mirroring the check nft_ct_set_eval() already has. Additionally,
bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len
instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple
before pkt_to_tuple() fills in only the protocol-relevant leading
bytes, so the trailing bytes of tuple->{src,dst}.u3.all are
well-defined zero. priv->len is validated at rule load, so the
copy size is now bounded by the destination register rather than
by an untrusted field on the conntrack.

[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s nftables framework, a flaw in the nft_ct module allows an attacker to trigger a 16‑byte memcpy overflow on the kernel stack. The defect occurs when a rule sets a connection‑track zone and then requests the original connection data, causing the kernel to treat an uninitialized template as a real entry. When the overflow executes, it can corrupt adjacent stack frames, potentially leading to a kernel crash or execution of attacker‑controlled code. The vulnerability is a classic stack buffer overflow (CWE‑787) and is capable, if exploited, of escalating privilege from unprivileged to privileged or kernel level.

Affected Systems

Any Linux kernel build that includes the nft_ct component of nftables is susceptible. The description does not specify vulnerable kernel versions, so all current and past releases with this subsystem are potentially affected until the upstream patch is applied. The impact applies to all Linux kernel variants, as the vulnerability resides in the core netfilter component of nftables.

Risk and Exploitability

The CVSS score of 7.8 classifies this flaw as high severity. The EPSS score is reported as <1 %, indicating that the probability of exploitation is currently very low. It is not listed in the CISA KEV catalog, meaning no documented public exploitation is known. The likely attack vector is crafted network traffic directed at a vulnerable nftables rule, based on the description, implying a remote network‑based entry. Because the vulnerability exploits an out‑of‑bounds memcpy on the kernel stack, the impact could be denial of service, data corruption, or privilege escalation if the overflow is successfully controlled. Although the exploitation likelihood remains low, the potential damage warrants immediate remediation.

Generated by OpenCVE AI on June 28, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the upstream patch addressing the nft_ct stack overflow.
  • Temporarily adjust nftables rules that use \"ct zone set\" followed by \"ct original\" to avoid the vulnerable sequence until a patch is available.
  • Reload or restart the nftables service after making rule changes to ensure the updated configuration takes effect.

Generated by OpenCVE AI on June 28, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: bail out on template ct in get eval I noticed this issue while looking at a historic syzbot report [1]. A rule like the one below is enough to trigger the bug: table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } } The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers. Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack. [1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
Title netfilter: nft_ct: bail out on template ct in get eval
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:41:11.085Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53267

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53267 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses