{"cve":{"cve_id":"CVE-2026-53267","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: bail out on template ct in get eval\n\nI noticed this issue while looking at a historic syzbot report [1].\n\nA rule like the one below is enough to trigger the bug:\n\n    table ip t {\n        chain pre {\n            type filter hook prerouting priority raw;\n            ct zone set 1\n            ct original saddr 1.2.3.4 accept\n        }\n    }\n\nThe first expression attaches a per-cpu template ct via\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\nnft_ct_get_eval() on the same skb, treats the template as a real ct\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\noverflows past struct nft_regs on the kernel stack; with smaller\ndreg values it silently clobbers adjacent registers.\n\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\nmirroring the check nft_ct_set_eval() already has. Additionally,\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\nbytes, so the trailing bytes of tuple->{src,dst}.u3.all are\nwell-defined zero. priv->len is validated at rule load, so the\ncopy size is now bounded by the destination register rather than\nby an untrusted field on the conntrack.\n\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c","published_at":"2026-06-25T08:39:53.852000Z","last_modified_at":null,"cvss_v3_score":7.8,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828","https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115","https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0","https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5","https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:28.590503Z","updated_at":"2026-06-28T23:30:51.545322Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","version_start_inclusive":true,"version_end":"af80f78ce984649e1698b841cd33f4fa505ad828","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:45d9bcda21f4c13be75e3571b0f0ef39e77934b5:af80f78ce984649e1698b841cd33f4fa505ad828"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","version_start_inclusive":true,"version_end":"8470f676eadeab99132708acb1a85915664d6115","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:45d9bcda21f4c13be75e3571b0f0ef39e77934b5:8470f676eadeab99132708acb1a85915664d6115"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","version_start_inclusive":true,"version_end":"f071b0bf078146368d18e4eec386bf2ddc0ab7e0","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:45d9bcda21f4c13be75e3571b0f0ef39e77934b5:f071b0bf078146368d18e4eec386bf2ddc0ab7e0"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","version_start_inclusive":true,"version_end":"2e154b5f53f1b0b490c7b8b02499f90feb86b1d5","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:45d9bcda21f4c13be75e3571b0f0ef39e77934b5:2e154b5f53f1b0b490c7b8b02499f90feb86b1d5"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","version_start_inclusive":true,"version_end":"3027ecbdb5fdf9200251c21d4818e4c447ef78e1","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:45d9bcda21f4c13be75e3571b0f0ef39e77934b5:3027ecbdb5fdf9200251c21d4818e4c447ef78e1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"4.1","version_start_inclusive":true,"version_end":"4.1","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:4.1:4.1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"4.1","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:4.1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.6.143","version_start_inclusive":true,"version_end":"6.6.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.6.143:6.6.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.12.94","version_start_inclusive":true,"version_end":"6.12.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.12.94:6.12.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.36","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.36:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.13","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.13:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-25T08:39:53.852000Z","label":"CVE published","source":null}]}