Linux Kernel up to 7.0.12 netfilter nf_log_syslog.c dump_mac_header out-of-bounds
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 2.5 | $0-$5k | 1.32- |
Summary
A vulnerability has been found in Linux Kernel up to 7.0.12 and classified as critical. Affected by this issue is the function dump_mac_header of the file net/netfilter/nf_log_syslog.c of the component netfilter. The manipulation of the argument mac_header leads to out-of-bounds.
This vulnerability is uniquely identified as CVE-2026-52942. No exploit exists.
The affected component should be upgraded.
Details
A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 7.0.12. This issue affects the function dump_mac_header of the file net/netfilter/nf_log_syslog.c of the component netfilter. The manipulation of the argument mac_header with an unknown input leads to a out-of-bounds vulnerability. Using CWE to declare the problem leads to CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. Impacted is confidentiality. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_log: validate MAC header was set before dumping it The fallback path of dump_mac_header() guards the MAC header access only with "skb->mac_header != skb->network_header", without checking skb_mac_header_was_set(). When the MAC header is unset, mac_header is 0xffff, so the test passes and skb_mac_header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via the netdev logger: nf_log_unknown_packet() calls dump_mac_header() unconditionally, and an skb sent through AF_PACKET with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still unset (__dev_queue_xmit(), which would reset it, is bypassed). Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already uses, and replace the open-coded MAC header length test with skb_mac_header_len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before. BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan_report (mm/kasan/report.c:595) dump_mac_header (net/netfilter/nf_log_syslog.c:831) nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963) nf_log_packet (net/netfilter/nf_log.c:260) nft_log_eval (net/netfilter/nft_log.c:60) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307) nf_hook_slow (net/netfilter/core.c:619) nf_hook_direct_egress (net/packet/af_packet.c:257) packet_xmit (net/packet/af_packet.c:280) packet_sendmsg (net/packet/af_packet.c:3114) __sys_sendto (net/socket.c:2265)
It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2026-52942 since 06/09/2026. The exploitation is known to be difficult. Technical details of the vulnerability are known, but there is no available exploit.
Upgrading to version 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36 or 7.0.13 eliminates this vulnerability. Applying the patch d704ee9c7bc68a161684c51a7ac05b446dcf38d4/befb8968a2abdfa948d5600ea7f7a509a292a590/8a81e336da685423f5b64aac4d571e63d674c52a/c38d41134085193efd5b237cf513ad5b3421a60d/af1b7699466f6556b351fa25d3dc870abfb5d310/65ef7397eb9a296e91839f5fd10be96f23d332e7/a84b6fedbc97078788be78dbdd7517d143ad1a77 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at EUVD (EUVD-2026-38712) and CERT Bund (WID-SEC-2026-2056). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Affected
- Open Source Linux Kernel
Product
Type
Vendor
Name
Version
- 5.15.209
- 6.1.175
- 6.6.142
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.12.26
- 6.12.27
- 6.12.28
- 6.12.29
- 6.12.30
- 6.12.31
- 6.12.32
- 6.12.33
- 6.12.34
- 6.12.35
- 6.12.36
- 6.12.37
- 6.12.38
- 6.12.39
- 6.12.40
- 6.12.41
- 6.12.42
- 6.12.43
- 6.12.44
- 6.12.45
- 6.12.46
- 6.12.47
- 6.12.48
- 6.12.49
- 6.12.50
- 6.12.51
- 6.12.52
- 6.12.53
- 6.12.54
- 6.12.55
- 6.12.56
- 6.12.57
- 6.12.58
- 6.12.59
- 6.12.60
- 6.12.61
- 6.12.62
- 6.12.63
- 6.12.64
- 6.12.65
- 6.12.66
- 6.12.67
- 6.12.68
- 6.12.69
- 6.12.70
- 6.12.71
- 6.12.72
- 6.12.73
- 6.12.74
- 6.12.75
- 6.12.76
- 6.12.77
- 6.12.78
- 6.12.79
- 6.12.80
- 6.12.81
- 6.12.82
- 6.12.83
- 6.12.84
- 6.12.85
- 6.12.86
- 6.12.87
- 6.12.88
- 6.12.89
- 6.12.90
- 6.12.91
- 6.12.92
- 6.12.93
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
- 6.18.4
- 6.18.5
- 6.18.6
- 6.18.7
- 6.18.8
- 6.18.9
- 6.18.10
- 6.18.11
- 6.18.12
- 6.18.13
- 6.18.14
- 6.18.15
- 6.18.16
- 6.18.17
- 6.18.18
- 6.18.19
- 6.18.20
- 6.18.21
- 6.18.22
- 6.18.23
- 6.18.24
- 6.18.25
- 6.18.26
- 6.18.27
- 6.18.28
- 6.18.29
- 6.18.30
- 6.18.31
- 6.18.32
- 6.18.33
- 6.18.34
- 6.18.35
- 7.0.0
- 7.0.1
- 7.0.2
- 7.0.3
- 7.0.4
- 7.0.5
- 7.0.6
- 7.0.7
- 7.0.8
- 7.0.9
- 7.0.10
- 7.0.11
- 7.0.12
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 2.6VulDB Meta Temp Score: 2.5
VulDB Base Score: 2.6
VulDB Temp Score: 2.5
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Out-of-boundsCWE: CWE-125 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 5.15.210/6.1.176/6.6.143/6.12.94/6.18.36/7.0.13
Patch: d704ee9c7bc68a161684c51a7ac05b446dcf38d4/befb8968a2abdfa948d5600ea7f7a509a292a590/8a81e336da685423f5b64aac4d571e63d674c52a/c38d41134085193efd5b237cf513ad5b3421a60d/af1b7699466f6556b351fa25d3dc870abfb5d310/65ef7397eb9a296e91839f5fd10be96f23d332e7/a84b6fedbc97078788be78dbdd7517d143ad1a77
Timeline
06/09/2026 CVE reserved06/24/2026 Advisory disclosed
06/24/2026 VulDB entry created
06/24/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-52942 (🔒)
GCVE (CVE): GCVE-0-2026-52942
GCVE (VulDB): GCVE-100-373187
EUVD: 🔒
CERT Bund: WID-SEC-2026-2056 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 06/24/2026 10:08Updated: 06/24/2026 19:24
Changes: 06/24/2026 10:08 (61), 06/24/2026 12:07 (1), 06/24/2026 19:24 (7)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.