CVE 9.4 CRITICAL

netfilter: require Ethernet MAC header before using eth_hdr()_CVE-2026-53131

June 28, 2026 invoker category_cve

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: require Ethernet MAC header before using eth_hdr()

`ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and
`hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)`
after either assuming that the skb is associated with an Ethernet
device or checking only that the `ETH_HLEN` bytes at
`skb_mac_header(skb)` lie between `skb->head` and `skb->data`.

Make these paths first verify that the skb is associated with an
Ethernet device, that the MAC header was set, and that it spans at
least a full Ethernet header before accessing `eth_hdr(skb)`.

AI Analysis

A vulnerability in the Linux kernel's netfilter component allows for potential unauthorized access due to insufficient verification of Ethernet MAC headers before using eth_hdr().

Basic Information

ID CVE-2026-53131

Source Linux

Published Jun 25, 2026 at 08:38

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Affected Versions Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor The Linux Foundation

Product Linux Kernel

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: require Ethernet MAC header before using eth_hdr()\n\n`ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and\n`hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)`\nafter either assuming that the skb is associated with an Ethernet\ndevice or checking only that the `ETH_HLEN` bytes at\n`skb_mac_header(skb)` lie between `skb->head` and `skb->data`.\n\nMake these paths first verify that the skb is associated with an\nEthernet device, that the MAC header was set, and that it spans at\nleast a full Ethernet header before accessing `eth_hdr(skb)`.",
    "published": "2026-06-25T08:38:20.489Z",
    "modified": "2026-06-28T06:39:24.582Z",
    "type": "cve",
    "title": "netfilter: require Ethernet MAC header before using eth_hdr()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/4435888e1bf139d2bfe5911643d4217382136743\nhttps://git.kernel.org/stable/c/063f43361e884acd7300790e90194430275d0d0c\nhttps://git.kernel.org/stable/c/726abf97566867f808fec9d8a408eb9698bd570a\nhttps://git.kernel.org/stable/c/367abcacc13a8e2e7624408b7f593bd1e60e49d9\nhttps://git.kernel.org/stable/c/5d634afb8b83b49de562792fd0d047416a43bd4d\nhttps://git.kernel.org/stable/c/cea435ea7e868ea6fdf039bc4f2090c1d829b556\nhttps://git.kernel.org/stable/c/62443dc21114c0bbc476fa62973db89743f2f137",
    "id": "CVE-2026-53131",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's netfilter component allows for potential unauthorized access due to insufficient verification of Ethernet MAC headers before using eth_hdr().",
    "ai_severity": "Critical",
    "ai_vendor": "The Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
    "ai_score": 9.4
}

💭 Join the Security Discussion ❌ Cancel Reply