FKIE_CVE-2026-53014
Vulnerability from fkie_nvd - Published: 2026-06-24 17:17 - Updated: 2026-06-24 17:17
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
In tcf_blockcast_redir(), when iterating block ports to redirect
packets to multiple devices, the mac_header_xmit flag is queried
from the wrong device. The loop sends to dev_prev but queries
dev_is_mac_header_xmit(dev) — which is the NEXT device in the
iteration, not the one being sent to.
This causes tcf_mirred_to_dev() to make incorrect decisions about
whether to push or pull the MAC header. When the block contains
mixed device types (e.g., an ethernet veth and a tunnel device),
intermediate devices get the wrong mac_header_xmit flag, leading to
skb header corruption. In the worst case, skb_push_rcsum with an
incorrect mac_len can exhaust headroom and panic.
The last device in the loop is handled correctly (line 365-366 uses
dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste
oversight for the intermediate devices.
Fix by using dev_prev instead of dev for the mac_header_xmit query,
consistent with the device actually being sent to.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_mirred.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fda5174286119addd28473fb2ec5bdf521c05a8",
"status": "affected",
"version": "42f39036cda808d3de243192a2cf5125f12f3047",
"versionType": "git"
},
{
"lessThan": "7db3e4e03032261b1b519341123fc30d995478ca",
"status": "affected",
"version": "42f39036cda808d3de243192a2cf5125f12f3047",
"versionType": "git"
},
{
"lessThan": "4764953c4b47585eb72797b216b63a831dc0c7e6",
"status": "affected",
"version": "42f39036cda808d3de243192a2cf5125f12f3047",
"versionType": "git"
},
{
"lessThan": "4510d140524ca7d6e772db962e013f26f09a63b1",
"status": "affected",
"version": "42f39036cda808d3de243192a2cf5125f12f3047",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_mirred.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir\n\nIn tcf_blockcast_redir(), when iterating block ports to redirect\npackets to multiple devices, the mac_header_xmit flag is queried\nfrom the wrong device. The loop sends to dev_prev but queries\ndev_is_mac_header_xmit(dev) \u2014 which is the NEXT device in the\niteration, not the one being sent to.\n\nThis causes tcf_mirred_to_dev() to make incorrect decisions about\nwhether to push or pull the MAC header. When the block contains\nmixed device types (e.g., an ethernet veth and a tunnel device),\nintermediate devices get the wrong mac_header_xmit flag, leading to\nskb header corruption. In the worst case, skb_push_rcsum with an\nincorrect mac_len can exhaust headroom and panic.\n\nThe last device in the loop is handled correctly (line 365-366 uses\ndev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste\noversight for the intermediate devices.\n\nFix by using dev_prev instead of dev for the mac_header_xmit query,\nconsistent with the device actually being sent to."
}
],
"id": "CVE-2026-53014",
"lastModified": "2026-06-24T17:17:12.683",
"metrics": {},
"published": "2026-06-24T17:17:12.683",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/4510d140524ca7d6e772db962e013f26f09a63b1"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/4764953c4b47585eb72797b216b63a831dc0c7e6"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/7db3e4e03032261b1b519341123fc30d995478ca"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/8fda5174286119addd28473fb2ec5bdf521c05a8"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Received"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…