netfilter: nf_log: validate MAC header was set before dumping it

7.1 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_log: validate MAC header was set before dumping it

The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.

This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).

Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.

BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)

Basic Information

ID CVE-2026-52942

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version 7eb9282cd0efac08b8377cbd5037ba297c77e3f7

Affected Versions Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7
Linux Linux 2.6.36

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_log: validate MAC header was set before dumping it\n\nThe fallback path of dump_mac_header() guards the MAC header access\nonly with \"skb->mac_header != skb->network_header\", without checking\nskb_mac_header_was_set(). When the MAC header is unset, mac_header is\n0xffff, so the test passes and skb_mac_header(skb) returns\nskb->head + 0xffff, ~64 KiB past the buffer; the loop then reads\ndev->hard_header_len bytes out of bounds into the kernel log.\n\nThis is reachable via the netdev logger: nf_log_unknown_packet() calls\ndump_mac_header() unconditionally, and an skb sent through AF_PACKET\nwith PACKET_QDISC_BYPASS reaches the egress hook with mac_header still\nunset (__dev_queue_xmit(), which would reset it, is bypassed).\n\nAdd the skb_mac_header_was_set() check the ARPHRD_ETHER path already\nuses, and replace the open-coded MAC header length test with\nskb_mac_header_len(). Only skbs with an unset MAC header are affected;\nvalid ones are dumped as before.\n\n BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n Read of size 1 at addr ffff88800ea49d3f by task exploit/148\n Call Trace:\n  kasan_report (mm/kasan/report.c:595)\n  dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n  nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)\n  nf_log_packet (net/netfilter/nf_log.c:260)\n  nft_log_eval (net/netfilter/nft_log.c:60)\n  nft_do_chain (net/netfilter/nf_tables_core.c:285)\n  nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)\n  nf_hook_slow (net/netfilter/core.c:619)\n  nf_hook_direct_egress (net/packet/af_packet.c:257)\n  packet_xmit (net/packet/af_packet.c:280)\n  packet_sendmsg (net/packet/af_packet.c:3114)\n  __sys_sendto (net/socket.c:2265)",
    "published": "2026-06-24T07:14:30.610Z",
    "modified": "2026-06-28T06:37:00.168Z",
    "type": "cve",
    "title": "netfilter: nf_log: validate MAC header was set before dumping it",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4\nhttps://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590\nhttps://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a\nhttps://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d\nhttps://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310\nhttps://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7\nhttps://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77",
    "id": "CVE-2026-52942",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 7eb9282cd0efac08b8377cbd5037ba297c77e3f7\nLinux Linux 2.6.36",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

netfilter: nf_log: validate MAC header was set before dumping it_CVE-2026-52942

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply