How is CVE-2026-53131 exploited?

Network reachability (required): The attacker must be able to send packets to the target system over the network; the vulnerable netfilter paths are reachable via crafted network traffic without requiring any local presence on the host. Authentication (not-required): No credentials or account are needed; the vulnerable code paths can be reached by any unauthenticated network sender. Victim interaction (not-required): No user action is required; the kernel processes incoming packets automatically, triggering the vulnerable path without any human on the target system needing to do anything. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge to trigger.

What is the impact of CVE-2026-53131?

An attacker can read kernel memory contents, exposing data such as cryptographic material, session state, or other in-kernel buffers. An attacker can partially overwrite kernel data, allowing limited tampering with packet-processing state or netfilter rule outcomes. An attacker can crash the kernel by triggering the out-of-bounds access, causing a full system reboot and denial of service for all workloads on that host. Any container sharing the host kernel is affected equally, so a single crafted packet stream can impact multiple co-located workloads simultaneously.

Back to search

CRITICALCVE-2026-53131Published 2026-06-25Modified 2026-06-28CNA Linux

CVE-2026-53131: netfilter: require Ethernet MAC header before using eth_hdr()

In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.

CVSS v3.1: 9.4
Severity: CRITICAL
Fixed in: 063f43361e884acd7300790e90194430275d0d0c
Affected Products: 2

HarborGuard Analysis

Synopsis

An out-of-bounds memory access vulnerability exists in the Linux kernel's netfilter subsystem, affecting several components including ip6t_eui64, xt_mac, multiple ipset types (bitmap:ip,mac, hash:ip,mac, hash:mac), and nf_log_syslog. The flaw is reachable over the network without any authentication, because maliciously crafted network packets can trigger the vulnerable code paths in kernel space. Successful exploitation gives an attacker the ability to read sensitive kernel memory, partially modify data, and crash the affected system. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection of CVE-2026-53131 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry their own kernel or netfilter packages. Any image containing an affected Linux kernel version is flagged immediately upon scan.

Available

Triage

HarborGuard scores this CVE at CVSS 9.4 (Critical) and surfaces it accordingly in each customer's priority queue, weighted further by any compliance policy thresholds the customer org has configured. Triage alerts are routed to the inbox or ticketing integration the customer has set up for Critical-severity kernel findings.

Available

Patch

A patched-image rebuild at the fix commit and version 5.15.210 boundary becomes available on HarborGuard once an image containing the corrected kernel is resolvable from upstream. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against each affected workload automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send packets to the target system over the network; the vulnerable netfilter paths are reachable via crafted network traffic without requiring any local presence on the host.
AuthenticationNot required
No credentials or account are needed; the vulnerable code paths can be reached by any unauthenticated network sender.
Victim interactionNot required
No user action is required; the kernel processes incoming packets automatically, triggering the vulnerable path without any human on the target system needing to do anything.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge to trigger.

Blast Radius

An attacker can read kernel memory contents, exposing data such as cryptographic material, session state, or other in-kernel buffers.
An attacker can partially overwrite kernel data, allowing limited tampering with packet-processing state or netfilter rule outcomes.
An attacker can crash the kernel by triggering the out-of-bounds access, causing a full system reboot and denial of service for all workloads on that host.
Any container sharing the host kernel is affected equally, so a single crafted packet stream can impact multiple co-located workloads simultaneously.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of the CVE being published, matching any image whose kernel version falls below the fixed commits or 5.15.210. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression suite, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and a review request is routed to the appropriate team. Customers who cannot immediately patch should consider applying network policy controls to restrict which sources can send traffic to hosts running exposed netfilter configurations, limiting the population of packets that can reach the vulnerable code paths until the kernel image is updated.

See how HarborGuard automates this

Fix available

063f43361e884acd7300790e90194430275d0d0c367abcacc13a8e2e7624408b7f593bd1e60e49d94435888e1bf139d2bfe5911643d42173821367435.15.2105d634afb8b83b49de562792fd0d047416a43bd4d6.1.1766.6.1436.12.946.18.3662443dc21114c0bbc476fa62973db89743f2f1377.0.137.1726abf97566867f808fec9d8a408eb9698bd570acea435ea7e868ea6fdf039bc4f2090c1d829b556

Affected packages

Linux / Linux
< 4435888e1bf139d2bfe5911643d4217382136743 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 063f43361e884acd7300790e90194430275d0d0c (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 726abf97566867f808fec9d8a408eb9698bd570a (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 367abcacc13a8e2e7624408b7f593bd1e60e49d9 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 5d634afb8b83b49de562792fd0d047416a43bd4d (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < cea435ea7e868ea6fdf039bc4f2090c1d829b556 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
Linux / Linux
Fixed in 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available