CVE-2026-53211
MEDIUMnetfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register NFT_META_BRI_IIFHWADDR declares its destination register with len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and leaving the upper 2 bytes of the second register as uninitialised nft_do_chain() stack. A downstream load of that register span leaks those stale bytes to userspace. Zero the second register before the memcpy so the full declared span is written.
Scores
CVSS v3
5.5
EPSS
0.0013
EPSS Percentile
2.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-401
Status
published
Products (12)
linux/Kernel
6.18.0 - 6.18.36linux
linux/Kernel
6.19.0 - 7.0.13linux
Linux/Linux
< 6.18
Linux/Linux
6.18
Linux/Linux
6.18.36 - 6.18.*
Linux/Linux
7.0.13 - 7.0.*
Linux/Linux
7.1
Linux/Linux
cbd2257dc96e3e46217540fcb095a757ffa20d96 - 07acb9798477535933bd658ac9fa85b6cb10d995
Linux/Linux
cbd2257dc96e3e46217540fcb095a757ffa20d96 - c7d573551f9286100a055ef696cde6af54549677
Linux/Linux
cbd2257dc96e3e46217540fcb095a757ffa20d96 - f1e81d571e375d10e50e852223593493d98c1bac
... and 2 more
Published
Jun 25, 2026
Tracked Since
Jun 25, 2026