GHSA-X2V8-3Q4Q-R8G6

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-24 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir

In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) — which is the NEXT device in the iteration, not the one being sent to.

This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic.

The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices.

Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53014"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:12Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir\n\nIn tcf_blockcast_redir(), when iterating block ports to redirect\npackets to multiple devices, the mac_header_xmit flag is queried\nfrom the wrong device. The loop sends to dev_prev but queries\ndev_is_mac_header_xmit(dev) \u2014 which is the NEXT device in the\niteration, not the one being sent to.\n\nThis causes tcf_mirred_to_dev() to make incorrect decisions about\nwhether to push or pull the MAC header. When the block contains\nmixed device types (e.g., an ethernet veth and a tunnel device),\nintermediate devices get the wrong mac_header_xmit flag, leading to\nskb header corruption. In the worst case, skb_push_rcsum with an\nincorrect mac_len can exhaust headroom and panic.\n\nThe last device in the loop is handled correctly (line 365-366 uses\ndev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste\noversight for the intermediate devices.\n\nFix by using dev_prev instead of dev for the mac_header_xmit query,\nconsistent with the device actually being sent to.",
  "id": "GHSA-x2v8-3q4q-r8g6",
  "modified": "2026-06-24T18:32:43Z",
  "published": "2026-06-24T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53014"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4510d140524ca7d6e772db962e013f26f09a63b1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4764953c4b47585eb72797b216b63a831dc0c7e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7db3e4e03032261b1b519341123fc30d995478ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fda5174286119addd28473fb2ec5bdf521c05a8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…