CVE-2026-53218 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs. Bail out if userspace requests too much data when F_PRESENT is set.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237
https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031
https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134
https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495
https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53
https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f
https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265

History

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs. Bail out if userspace requests too much data when F_PRESENT is set.
Title		netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237 https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031 https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134 https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495 https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53 https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6 https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:21.069Z

Updated: 2026-06-25T08:39:21.069Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53218

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object