CVE-2026-53002: netfilter: conntrack: remove sprintf usage
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: remove sprintf usage Replace it with scnprintf, the buffer sizes are expected to be large enough to hold the result, no need for snprintf+overflow check. Increase buffer size in mangle_content_len() while at it. BUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5/0x1270 Write of size 1 at addr [..] vsnprintf+0xea5/0x1270 sprintf+0xb1/0xe0 mangle_content_len+0x1ac/0x280 nf_nat_sdp_session+0x1cc/0x240 process_sdp+0x8f8/0xb80 process_invite_request+0x108/0x2b0 process_sip_msg+0x5da/0xf50 sip_help_tcp+0x45e/0x780 nf_confirm+0x34d/0x990 [..]
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A stack-out-of-bounds write vulnerability exists in the Linux kernel's netfilter connection tracking subsystem, specifically in the SIP ALG (application-layer gateway) code path that processes SIP INVITE messages over TCP. The flaw is reachable over the network without any authentication, allowing a remote attacker to trigger a write past the end of a stack-allocated buffer via a crafted SIP packet. Successful exploitation enables full compromise of confidentiality, integrity, and availability on the affected host, including potential remote code execution. Patched-image rebuilds at versions 5.10.258, 5.15.209, and the identified upstream commits are available on HarborGuard for environments running affected kernel versions.
HarborGuard Coverage
Detection of CVE-2026-53002 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate affected Linux kernel versions. Any image in a connected registry or CI pipeline that ships a vulnerable kernel variant is flagged automatically without manual configuration.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied to route alerts to the appropriate team inbox, so container security owners and platform engineers each see findings scoped to their workloads.
AvailableA patched-image rebuild targeting the fixed kernel versions (5.10.258, 5.15.209, or the upstream commit refs) becomes available in HarborGuard the moment fix availability is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; for high and critical severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable code path is reachable over the network; an attacker must be able to send TCP SIP traffic to a host running the affected kernel with netfilter SIP connection tracking enabled.
- AuthenticationNot required
No authentication or valid account is required; the attacker sends unauthenticated SIP packets to trigger the overflow.
- Victim interactionNot required
No user action or victim interaction is needed; the exploit is fully drive-by against the listening network service.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race wins, or memory-layout knowledge beyond crafting a malformed SIP INVITE payload.
Blast Radius
- A successful attacker writes out-of-bounds on a kernel stack buffer, which can corrupt adjacent stack data and enable arbitrary code execution in kernel context.
- Kernel-level code execution grants read access to all memory on the host, including secrets, credentials, and data belonging to every container and process running on the node.
- The attacker can modify any in-memory or on-disk data accessible to the kernel, including container filesystem layers and mounted volumes.
- Kernel panic or memory corruption can crash the affected node entirely, taking down all containers and workloads co-hosted on that instance.
How HarborGuard Handles This
Available on HarborGuard: any image in a customer registry or pipeline that ships a Linux kernel older than 5.10.258 or 5.15.209 (or that predates the relevant upstream commit) is flagged as critically vulnerable as soon as the scan cycle completes. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image against the patched kernel version, executes a regression test run, and opens a pull request against affected workload manifests; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not yet enabled, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so teams can prioritize manual remediation. As a compensating control while patching is in progress, network policy rules that restrict inbound SIP (TCP port 5060/5061) to only trusted sources can reduce the exposed attack surface for this specific code path.
Fix available
- Linux / Linux< 2f793ba78470a99f40389b7dc60a81d9f5ad3956 (from 9fafcd7b203229c3f3893a475741afc27e276306) · < 6bbf829b4c1b44c941c47dd0d710f1393258f3d5 (from 9fafcd7b203229c3f3893a475741afc27e276306) · < ab64e61c9323fa6de21bd20da1ddb29a0fb65d34 (from 9fafcd7b203229c3f3893a475741afc27e276306) · < 1c9fb8aeed06790d42cdcd00f6c3ce0b9e926c1e (from 9fafcd7b203229c3f3893a475741afc27e276306) · < a8e0a32a23d3f34862af3b4da792ecb3a891a9a3 (from 9fafcd7b203229c3f3893a475741afc27e276306) · < 8e3be0d12615a173fe260cd42753ca7a001acbf2 (from 9fafcd7b203229c3f3893a475741afc27e276306)
- Linux / Linux2.6.20Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H