CVE-2026-53267 (GCVE-0-2026-53267)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI
Title
netfilter: nft_ct: bail out on template ct in get eval
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: bail out on template ct in get eval
I noticed this issue while looking at a historic syzbot report [1].
A rule like the one below is enough to trigger the bug:
table ip t {
chain pre {
type filter hook prerouting priority raw;
ct zone set 1
ct original saddr 1.2.3.4 accept
}
}
The first expression attaches a per-cpu template ct via
nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all
zero, nf_ct_l3num(ct) == 0). The next expression then calls
nft_ct_get_eval() on the same skb, treats the template as a real ct
and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this
overflows past struct nft_regs on the kernel stack; with smaller
dreg values it silently clobbers adjacent registers.
Reject template ct at the eval entry and in nft_ct_get_fast_eval(),
mirroring the check nft_ct_set_eval() already has. Additionally,
bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len
instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple
before pkt_to_tuple() fills in only the protocol-relevant leading
bytes, so the trailing bytes of tuple->{src,dst}.u3.all are
well-defined zero. priv->len is validated at rule load, so the
copy size is now bounded by the destination register rather than
by an untrusted field on the conntrack.
[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < af80f78ce984649e1698b841cd33f4fa505ad828
(git)
Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < 8470f676eadeab99132708acb1a85915664d6115 (git) Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < f071b0bf078146368d18e4eec386bf2ddc0ab7e0 (git) Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < 2e154b5f53f1b0b490c7b8b02499f90feb86b1d5 (git) Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < 3027ecbdb5fdf9200251c21d4818e4c447ef78e1 (git) |
|
| Linux | Linux |
Affected:
4.1
Unaffected: 0 , < 4.1 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c",
"net/netfilter/nft_ct_fast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af80f78ce984649e1698b841cd33f4fa505ad828",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "8470f676eadeab99132708acb1a85915664d6115",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "f071b0bf078146368d18e4eec386bf2ddc0ab7e0",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "2e154b5f53f1b0b490c7b8b02499f90feb86b1d5",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "3027ecbdb5fdf9200251c21d4818e4c447ef78e1",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c",
"net/netfilter/nft_ct_fast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: bail out on template ct in get eval\n\nI noticed this issue while looking at a historic syzbot report [1].\n\nA rule like the one below is enough to trigger the bug:\n\n table ip t {\n chain pre {\n type filter hook prerouting priority raw;\n ct zone set 1\n ct original saddr 1.2.3.4 accept\n }\n }\n\nThe first expression attaches a per-cpu template ct via\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -\u003e kzalloc, tuple is all\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\nnft_ct_get_eval() on the same skb, treats the template as a real ct\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\noverflows past struct nft_regs on the kernel stack; with smaller\ndreg values it silently clobbers adjacent registers.\n\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\nmirroring the check nft_ct_set_eval() already has. Additionally,\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv-\u003elen\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\nbytes, so the trailing bytes of tuple-\u003e{src,dst}.u3.all are\nwell-defined zero. priv-\u003elen is validated at rule load, so the\ncopy size is now bounded by the destination register rather than\nby an untrusted field on the conntrack.\n\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:11.085Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828"
},
{
"url": "https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115"
},
{
"url": "https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0"
},
{
"url": "https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5"
},
{
"url": "https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1"
}
],
"title": "netfilter: nft_ct: bail out on template ct in get eval",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53267",
"datePublished": "2026-06-25T08:39:53.852Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:11.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53267",
"date": "2026-06-27",
"epss": "0.00163",
"percentile": "0.05891"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53267\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:44.770\",\"lastModified\":\"2026-06-28T08:16:42.113\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nft_ct: bail out on template ct in get eval\\n\\nI noticed this issue while looking at a historic syzbot report [1].\\n\\nA rule like the one below is enough to trigger the bug:\\n\\n table ip t {\\n chain pre {\\n type filter hook prerouting priority raw;\\n ct zone set 1\\n ct original saddr 1.2.3.4 accept\\n }\\n }\\n\\nThe first expression attaches a per-cpu template ct via\\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -\u003e kzalloc, tuple is all\\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\\nnft_ct_get_eval() on the same skb, treats the template as a real ct\\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\\noverflows past struct nft_regs on the kernel stack; with smaller\\ndreg values it silently clobbers adjacent registers.\\n\\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\\nmirroring the check nft_ct_set_eval() already has. Additionally,\\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv-\u003elen\\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\\nbytes, so the trailing bytes of tuple-\u003e{src,dst}.u3.all are\\nwell-defined zero. priv-\u003elen is validated at rule load, so the\\ncopy size is now bounded by the destination register rather than\\nby an untrusted field on the conntrack.\\n\\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/netfilter/nft_ct.c\",\"net/netfilter/nft_ct_fast.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"45d9bcda21f4c13be75e3571b0f0ef39e77934b5\",\"lessThan\":\"af80f78ce984649e1698b841cd33f4fa505ad828\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"45d9bcda21f4c13be75e3571b0f0ef39e77934b5\",\"lessThan\":\"8470f676eadeab99132708acb1a85915664d6115\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"45d9bcda21f4c13be75e3571b0f0ef39e77934b5\",\"lessThan\":\"f071b0bf078146368d18e4eec386bf2ddc0ab7e0\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"45d9bcda21f4c13be75e3571b0f0ef39e77934b5\",\"lessThan\":\"2e154b5f53f1b0b490c7b8b02499f90feb86b1d5\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"45d9bcda21f4c13be75e3571b0f0ef39e77934b5\",\"lessThan\":\"3027ecbdb5fdf9200251c21d4818e4c447ef78e1\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/netfilter/nft_ct.c\",\"net/netfilter/nft_ct_fast.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"4.1\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"4.1\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.143\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.94\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…