CVE-2026-53219 Overview
CVE-2026-53219 is an information disclosure vulnerability in the Linux kernel's netfilter subsystem, specifically in the x_tables get-entries code paths. The native and compat get-entries handlers copy the fixed rule entry header from the kernelized rule blob to userspace before overwriting the counter fields with a sanitized snapshot. On symmetric multiprocessing (SMP) kernels, entry->counters.pcnt holds the raw percpu allocation address used by x_tables rule counters. A crafted userspace buffer that faults between the header copy and the sanitized counter copy causes the syscall to return -EFAULT while leaving the internal percpu pointer in the user buffer.
Critical Impact
Local users can leak kernel percpu counter pointers, defeating Kernel Address Space Layout Randomization (KASLR) and enabling reliable exploitation of other kernel memory corruption issues.
Affected Products
- Linux kernel netfilter IPv4 (ip_tables) native and compat get-entries paths
- Linux kernel netfilter IPv6 (ip6_tables) native and compat get-entries paths
- Linux kernel netfilter ARP (arp_tables) native and compat get-entries paths
Discovery Timeline
- 2026-06-25 - CVE-2026-53219 published to the National Vulnerability Database (NVD)
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53219
Vulnerability Analysis
The x_tables framework exposes rule retrieval through the get_entries interface used by iptables, ip6tables, and arptables. When servicing this request, the kernel copies the rule blob to userspace in two stages. First it copies the fixed entry header, which includes the embedded xt_counters structure. Then it overwrites the counter fields with a sanitized snapshot built from per-CPU counter aggregation.
On SMP builds, the in-kernel xt_counters.pcnt field is reused as a pointer to the percpu allocation backing the counter. This pointer is a kernel virtual address. The two-step copy pattern was intended to ensure the pointer never reaches userspace, but it relies on the second copy_to_user succeeding.
Root Cause
The root cause is an ordering flaw in the get-entries code paths for IPv4, IPv6, and ARP, including both the native and 32-bit compat variants. The fixed header copy writes the raw pcnt pointer into the user buffer first. If the caller arranges for the subsequent sanitized counter copy to fault, for example by mapping the second page of the destination buffer as unreadable, the syscall returns -EFAULT but the kernel pointer remains in the partially written userspace buffer.
Attack Vector
An unprivileged local attacker in a network namespace with CAP_NET_ADMIN calls getsockopt with IPT_SO_GET_ENTRIES, IP6T_SO_GET_ENTRIES, or ARPT_SO_GET_ENTRIES against a crafted destination buffer that faults at a controlled offset. The fault is placed after the xt_counters field in the header so that the percpu pointer is committed to the user page before the sanitized overwrite is attempted. The attacker then reads the leaked pointer to derive kernel base addresses and bypass KASLR. The fix copies only the fixed entry prefix preceding the counters from the kernel blob, then writes the sanitized counter snapshot into the counter field, ensuring the raw pcnt value never crosses the kernel boundary.
Detection Methods for CVE-2026-53219
Indicators of Compromise
- Unprivileged processes or container workloads invoking getsockopt with IPT_SO_GET_ENTRIES, IP6T_SO_GET_ENTRIES, or ARPT_SO_GET_ENTRIES at high frequency.
- Repeated getsockopt calls returning -EFAULT against netfilter table sockets from the same process.
- Processes enumerating iptables, ip6tables, or arptables rule sets without a legitimate administrative purpose.
Detection Strategies
- Audit getsockopt syscalls on AF_INET, AF_INET6, and AF_PACKET sockets requesting x_tables rule entries using auditd or eBPF tracing.
- Correlate EFAULT returns from x_tables get-entries calls with subsequent suspicious behavior such as kernel exploit staging.
- Flag use of CAP_NET_ADMIN from containers or user namespaces where this capability is not expected.
Monitoring Recommendations
- Deploy kernel-level telemetry that records syscall arguments and return codes for netfilter administrative interfaces.
- Track kernel version inventory across Linux fleets and alert on hosts running unpatched stable branches.
- Monitor for new local privilege escalation attempts, since pointer leaks frequently precede chained kernel exploitation.
How to Mitigate CVE-2026-53219
Immediate Actions Required
- Apply the upstream stable kernel updates that include the fix for the netfilter: x_tables: avoid leaking percpu counter pointers patch series.
- Rebuild and reboot affected hosts; the vulnerable code path is in the kernel and cannot be hot-patched by user-space changes.
- Restrict CAP_NET_ADMIN inside containers and user namespaces where rule enumeration is not required.
Patch Information
The fix reorders the userspace copy in the native and compat get-entries handlers for ip_tables, ip6_tables, and arp_tables. Only the fixed entry prefix before the counters is copied from the kernelized rule blob, after which the sanitized counter snapshot is copied into the counter field. Stable backports are available in the following commits: 08a3e218064d, 0b35dc8527cc, 8d67e42ad3b1, a0d16941adf3, b28e2fcad3db, b74ba3343eb4, f7f2fbb0e893, and fb0521aff1e1.
Workarounds
- Drop CAP_NET_ADMIN from unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 where supported, or by using sysctl user.max_user_namespaces=0 on hosts that do not require it.
- Use seccomp profiles to block getsockopt calls targeting x_tables rule retrieval from untrusted workloads such as containerized applications.
- Limit access to network namespace administration to trusted users and service accounts until the kernel patch is deployed.
# Restrict unprivileged user namespaces and verify kernel version after patching
sysctl -w kernel.unprivileged_userns_clone=0
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

