PT-2026-52230 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53134
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft fib: fix stale stack leak via the OIFNAME register
For NFT FIB RESULT OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN LOCAL and oif-mismatch paths nft fib{4,6} eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft do chain()'s struct nft regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.
The NFTA FIB F PRESENT existence check has the same shape: it is only
meaningful for NFT FIB RESULT OIF, yet it was accepted for any result type
while the eval stores a single byte via nft reg store8(), leaving the rest
of the declared span stale.
Fix both:
-
replace the bare "*dest = 0" in the eval with nft fib store result(), which strscpy pad()s the whole IFNAMSIZ for OIFNAME (and is already used on the other early-return path), and
-
restrict NFTA FIB F PRESENT to NFT FIB RESULT OIF and declare its destination as a single u8, so the marked span matches the one byte the eval writes.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux