CVE-2026-53218 - Vulnerability Details

- netfilter: nft_exthdr: fix register tracking for F_PRESENT flag

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_exthdr: fix register tracking for F_PRESENT flag

nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.

Bail out if userspace requests too much data when F_PRESENT is set.

Published: 2026-06-25

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 19748967d59c31d24d21d40b728570788310b237
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 46fc15a044e9938e7ea77786fb37edd2cd74f031
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< cd513e43b4b2bd1de39e2367bc4261c699a8652f
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 67b27434c43b68a97becda98c9f0c8cf6cba2134
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 78069a6d8bc86c9e036eb82c2af4a19cc1871a53
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265
`c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783`	affected	< 772cecf198da732faebb5dcfc46d66a505be8495

Linux

affected

Version	Status	Constraints
`4.11`	affected	—
`0`	unaffected	< 4.11
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,19748967d59c31d24d21d40b728570788310b237)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,46fc15a044e9938e7ea77786fb37edd2cd74f031)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,cd513e43b4b2bd1de39e2367bc4261c699a8652f)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,67b27434c43b68a97becda98c9f0c8cf6cba2134)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,78069a6d8bc86c9e036eb82c2af4a19cc1871a53)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265)`	affected	code_commit	—
`[c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783,772cecf198da732faebb5dcfc46d66a505be8495)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.11`	affected	generic	—
`[0,4.11)`	unaffected	generic	—
`[5.10.259,5.11.0)`	unaffected	semver	—
`[5.15.210,5.16.0)`	unaffected	semver	—
`[6.1.176,6.2.0)`	unaffected	semver	—
`[6.6.143,6.7.0)`	unaffected	semver	—
`[6.12.94,6.13.0)`	unaffected	semver	—
`[6.18.36,6.19.0)`	unaffected	semver	—
`[7.0.13,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237
https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031
https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134
https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495
https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53
https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f
https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265
https://lore.kernel.org/linux-cve-announce/2026062505-CVE-2026-53218-d36e@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53218
https://www.cve.org/CVERecord?id=CVE-2026-53218

History

Fri, 26 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026062505-CVE-2026-53218-d36e@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53218 https://www.cve.org/CVERecord?id=CVE-2026-53218
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs. Bail out if userspace requests too much data when F_PRESENT is set.
Title		netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237 https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031 https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134 https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495 https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53 https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6 https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:21.069Z

Updated: 2026-06-25T08:39:21.069Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53218

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53218 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-26T13:45:05Z

Weaknesses

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object