5.5
CVE-2026-53134
- EPSS 0.12%
- Veröffentlicht 25.06.2026 08:38:23
- Zuletzt bearbeitet 07.07.2026 16:59:14
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
For NFT_FIB_RESULT_OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.
The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
while the eval stores a single byte via nft_reg_store8(), leaving the rest
of the declared span stale.
Fix both:
- replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
used on the other early-return path), and
- restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
destination as a single u8, so the marked span matches the one byte
the eval writes.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.10 < 5.10.259
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.210
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.176
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.143
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.94
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.36
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.13
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
Linux ≫ Linux Kernel Version7.1 Updaterc4
Linux ≫ Linux Kernel Version7.1 Updaterc5
Linux ≫ Linux Kernel Version7.1 Updaterc6
Linux ≫ Linux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.024 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-401 Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
https://git.kernel.org/stable/c/6744e49fe51bfba26522acc2d0e9703cb41d8e50
https://git.kernel.org/stable/c/eca18feed38b3377a2ec5d1f22af1170c55d0171
https://git.kernel.org/stable/c/d19ddef8c327a4773ff81f8e51027d1e0b4cf069
https://git.kernel.org/stable/c/eb8a8124484dbc3c2b543e207da39bbccb703d31
https://git.kernel.org/stable/c/8c84885e9790823828bb8084736ea15769b1ac16
https://git.kernel.org/stable/c/84d8f58cf28a0415413f43ba7148f7bacd4c1b6e
https://git.kernel.org/stable/c/3544210609f6d1db282bbdeca639104ef624c393
https://git.kernel.org/stable/c/ab185e0c4fb82dfba6fb86f8271e06f931d9c64c