PT-2026-52230 · Linux · Linux
Publicado
2026-06-25
·
Atualizado
2026-06-25
·
CVE-2026-53134
Nenhuma
Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft fib: fix stale stack leak via the OIFNAME register
For NFT FIB RESULT OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN LOCAL and oif-mismatch paths nft fib{4,6} eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft do chain()'s struct nft regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.
The NFTA FIB F PRESENT existence check has the same shape: it is only
meaningful for NFT FIB RESULT OIF, yet it was accepted for any result type
while the eval stores a single byte via nft reg store8(), leaving the rest
of the declared span stale.
Fix both:
-
replace the bare "*dest = 0" in the eval with nft fib store result(), which strscpy pad()s the whole IFNAMSIZ for OIFNAME (and is already used on the other early-return path), and
-
restrict NFTA FIB F PRESENT to NFT FIB RESULT OIF and declare its destination as a single u8, so the marked span matches the one byte the eval writes.
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Linux