CVE-2026-52942 - Vulnerability Details

- netfilter: nf_log: validate MAC header was set before dumping it

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_log: validate MAC header was set before dumping it

The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.

This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).

Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.

BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)

Published: 2026-06-24

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< d704ee9c7bc68a161684c51a7ac05b446dcf38d4
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< befb8968a2abdfa948d5600ea7f7a509a292a590
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< 8a81e336da685423f5b64aac4d571e63d674c52a
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< c38d41134085193efd5b237cf513ad5b3421a60d
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< af1b7699466f6556b351fa25d3dc870abfb5d310
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< 65ef7397eb9a296e91839f5fd10be96f23d332e7
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< a84b6fedbc97078788be78dbdd7517d143ad1a77

Linux

affected

Version	Status	Constraints
`2.6.36`	affected	—
`0`	unaffected	< 2.6.36
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,d704ee9c7bc68a161684c51a7ac05b446dcf38d4)`	affected	code_commit	—
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,befb8968a2abdfa948d5600ea7f7a509a292a590)`	affected	code_commit	—
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,8a81e336da685423f5b64aac4d571e63d674c52a)`	affected	code_commit	—
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,c38d41134085193efd5b237cf513ad5b3421a60d)`	affected	code_commit	—
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,af1b7699466f6556b351fa25d3dc870abfb5d310)`	affected	code_commit	—
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,65ef7397eb9a296e91839f5fd10be96f23d332e7)`	affected	code_commit	—
`[7eb9282cd0efac08b8377cbd5037ba297c77e3f7,a84b6fedbc97078788be78dbdd7517d143ad1a77)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.36`	affected	semver	—
`[0,2.6.36)`	unaffected	semver	—
`[5.15.210,5.16.0)`	unaffected	semver	—
`[6.1.176,6.2.0)`	unaffected	semver	—
`[6.6.143,6.7.0)`	unaffected	semver	—
`[6.12.94,6.13.0)`	unaffected	semver	—
`[6.18.36,6.19.0)`	unaffected	semver	—
`[7.0.13,7.1.0)`	unaffected	semver	—
`[7.1,*)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00123.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7
https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a
https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77
https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310
https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590
https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d
https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4
https://lore.kernel.org/linux-cve-announce/2026062435-CVE-2026-52942-2530@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-52942
https://www.cve.org/CVERecord?id=CVE-2026-52942

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}`

Thu, 25 Jun 2026 02:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-788

Thu, 25 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
References		https://lore.kernel.org/linux-cve-announce/2026062435-CVE-2026-52942-2530@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-52942 https://www.cve.org/CVERecord?id=CVE-2026-52942
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 24 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-788

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_log: validate MAC header was set before dumping it The fallback path of dump_mac_header() guards the MAC header access only with "skb->mac_header != skb->network_header", without checking skb_mac_header_was_set(). When the MAC header is unset, mac_header is 0xffff, so the test passes and skb_mac_header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via the netdev logger: nf_log_unknown_packet() calls dump_mac_header() unconditionally, and an skb sent through AF_PACKET with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still unset (__dev_queue_xmit(), which would reset it, is bypassed). Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already uses, and replace the open-coded MAC header length test with skb_mac_header_len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before. BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan_report (mm/kasan/report.c:595) dump_mac_header (net/netfilter/nf_log_syslog.c:831) nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963) nf_log_packet (net/netfilter/nf_log.c:260) nft_log_eval (net/netfilter/nft_log.c:60) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307) nf_hook_slow (net/netfilter/core.c:619) nf_hook_direct_egress (net/packet/af_packet.c:257) packet_xmit (net/packet/af_packet.c:280) packet_sendmsg (net/packet/af_packet.c:3114) __sys_sendto (net/socket.c:2265)
Title		netfilter: nf_log: validate MAC header was set before dumping it
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7 https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77 https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310 https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590 https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:30.610Z

Updated: 2026-06-28T06:37:00.168Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52942

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52942 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses

CWE-125

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object