CVE-2026-53014

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act mirred: fix wrong device for mac header xmit check in tcf blockcast redir

In tcf blockcast redir(), when iterating block ports to redirect packets to multiple devices, the mac header xmit flag is queried from the wrong device. The loop sends to dev prev but queries dev is mac header xmit(dev) — which is the NEXT device in the iteration, not the one being sent to.

This causes tcf mirred to dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac header xmit flag, leading to skb header corruption. In the worst case, skb push rcsum with an incorrect mac len can exhaust headroom and panic.

The last device in the loop is handled correctly (line 365-366 uses dev is mac header xmit(dev prev)), confirming this is a copy-paste oversight for the intermediate devices.

Fix by using dev prev instead of dev for the mac header xmit query, consistent with the device actually being sent to.