CVE-2026-52942

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf log: validate MAC header was set before dumping it

The fallback path of dump mac header() guards the MAC header access only with "skb->mac header != skb->network header", without checking skb mac header was set(). When the MAC header is unset, mac header is 0xffff, so the test passes and skb mac header(skb) returns skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads dev->hard header len bytes out of bounds into the kernel log.

This is reachable via the netdev logger: nf log unknown packet() calls dump mac header() unconditionally, and an skb sent through AF PACKET with PACKET QDISC BYPASS reaches the egress hook with mac header still unset ( dev queue xmit(), which would reset it, is bypassed).

Add the skb mac header was set() check the ARPHRD ETHER path already uses, and replace the open-coded MAC header length test with skb mac header len(). Only skbs with an unset MAC header are affected; valid ones are dumped as before.

BUG: KASAN: slab-out-of-bounds in dump mac header (net/netfilter/nf log syslog.c:831) Read of size 1 at addr ffff88800ea49d3f by task exploit/148 Call Trace: kasan report (mm/kasan/report.c:595) dump mac header (net/netfilter/nf log syslog.c:831) nf log netdev packet (net/netfilter/nf log syslog.c:938 net/netfilter/nf log syslog.c:963) nf log packet (net/netfilter/nf log.c:260) nft log eval (net/netfilter/nft log.c:60) nft do chain (net/netfilter/nf tables core.c:285) nft do chain netdev (net/netfilter/nft chain filter.c:307) nf hook slow (net/netfilter/core.c:619) nf hook direct egress (net/packet/af packet.c:257) packet xmit (net/packet/af packet.c:280) packet sendmsg (net/packet/af packet.c:3114) sys sendto (net/socket.c:2265)