CVE-2026-52942 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_log: validate MAC header was set before dumping it

The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.

This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).

Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.

BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00169.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< d704ee9c7bc68a161684c51a7ac05b446dcf38d4
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< befb8968a2abdfa948d5600ea7f7a509a292a590
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< 8a81e336da685423f5b64aac4d571e63d674c52a
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< c38d41134085193efd5b237cf513ad5b3421a60d
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< af1b7699466f6556b351fa25d3dc870abfb5d310
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< 65ef7397eb9a296e91839f5fd10be96f23d332e7
`7eb9282cd0efac08b8377cbd5037ba297c77e3f7`	affected	< a84b6fedbc97078788be78dbdd7517d143ad1a77

Linux

affected

Version	Status	Constraints
`2.6.36`	affected	—
`0`	unaffected	< 2.6.36
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7
https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a
https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77
https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310
https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590
https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d
https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4

History

Wed, 24 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-788

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_log: validate MAC header was set before dumping it The fallback path of dump_mac_header() guards the MAC header access only with "skb->mac_header != skb->network_header", without checking skb_mac_header_was_set(). When the MAC header is unset, mac_header is 0xffff, so the test passes and skb_mac_header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via the netdev logger: nf_log_unknown_packet() calls dump_mac_header() unconditionally, and an skb sent through AF_PACKET with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still unset (__dev_queue_xmit(), which would reset it, is bypassed). Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already uses, and replace the open-coded MAC header length test with skb_mac_header_len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before. BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan_report (mm/kasan/report.c:595) dump_mac_header (net/netfilter/nf_log_syslog.c:831) nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963) nf_log_packet (net/netfilter/nf_log.c:260) nft_log_eval (net/netfilter/nft_log.c:60) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307) nf_hook_slow (net/netfilter/core.c:619) nf_hook_direct_egress (net/packet/af_packet.c:257) packet_xmit (net/packet/af_packet.c:280) packet_sendmsg (net/packet/af_packet.c:3114) __sys_sendto (net/socket.c:2265)
Title		netfilter: nf_log: validate MAC header was set before dumping it
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7 https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77 https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310 https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590 https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:30.610Z

Updated: 2026-06-24T07:14:30.610Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52942

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T13:00:06Z

Weaknesses

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object