CVE-2026-53266 Overview
CVE-2026-53266 is a Linux kernel vulnerability in the netfilter bridge subsystem. The flaw exists in the ebt_snat target's optional ARP sender hardware address (SHA) rewrite path. The code calls skb_store_bits() to write into the socket buffer (skb) without first ensuring the target range is writable. When the ARP SHA range resides in a nonlinear skb fragment backed by a splice-imported file page, the write modifies the underlying page directly. This can corrupt memory belonging to unrelated kernel objects or user-space mappings. The issue has been resolved upstream by ensuring the ARP SHA range is writable before reading the ARP header and calling skb_store_bits().
Critical Impact
Improper writability checks in the ebtables SNAT ARP rewrite path allow modification of memory backing splice-imported file pages, leading to kernel memory corruption.
Affected Products
- Linux kernel (mainline) — netfilter bridge ebt_snat target
- Linux stable branches receiving the backported fix commits
- Distributions shipping vulnerable kernel versions with bridge ebtables enabled
Discovery Timeline
- 2026-06-25 - CVE-2026-53266 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53266
Vulnerability Analysis
The vulnerability is a kernel memory corruption issue [Kernel Vulnerability] in the bridge netfilter ebtables SNAT target. At the bridge ebtables hooks, the Ethernet header is reached through skb_mac_header() and eth_hdr(), while skb->data points at the Ethernet payload. The SNAT target deliberately uses skb_ensure_writable(skb, 0) to avoid checking the payload range, preserving the small-packet fix from commit 63137bc5882a.
The optional ARP sender hardware address rewrite, however, calls skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) at an offset relative to skb->data. The prior skb_header_pointer() call only ensures safe reading of the ARP header; it does not make the later SHA range writable. If that range remains held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and writes the new MAC address directly into shared memory.
Root Cause
The root cause is a missing writability guarantee before an in-place skb modification. skb_header_pointer() provides read-only safety, but the subsequent skb_store_bits() call requires the range to be linearized or cloned. Without that, the write operates on memory that may be shared with file-backed pages introduced via splice().
Attack Vector
A local attacker with capabilities to configure ebtables rules and craft packets traversing a bridge with the ebt_snat ARP rewrite option can trigger the unsafe write. The packet must carry an ARP payload held in a nonlinear skb fragment backed by a splice-imported file page. The result is unauthorized modification of memory outside the intended packet buffer.
No verified public exploit code is available. The vulnerability mechanism is documented in the upstream patch series referenced below. See Kernel Git Commit 153ea96 and Kernel Git Commit c9b5ff5 for the source-level fix.
Detection Methods for CVE-2026-53266
Indicators of Compromise
- Unexpected kernel oops or memory corruption reports referencing ebt_snat, skb_store_bits, or bridge netfilter call paths.
- Loaded ebtables rules using the SNAT target with the --snat-arp option on bridged interfaces.
- Anomalous kernel page-fault or KASAN reports in netfilter bridge code paths after ARP traffic processing.
Detection Strategies
- Inventory kernel versions across Linux fleet and flag hosts running unpatched releases that include the bridge netfilter ebt_snat module.
- Audit running ebtables configurations for SNAT targets with ARP rewrite options enabled on bridged hosts.
- Enable KASAN or KFENCE in test environments to surface unsafe writes in skb_store_bits() paths during bridge traffic testing.
Monitoring Recommendations
- Monitor dmesg and kernel logs for warnings, oops messages, or KASAN reports involving ebt_snat_tg or skb_store_bits.
- Track loading of the ebt_snat kernel module and changes to ebtables rules via auditd.
- Alert on unprivileged processes invoking splice() against pages routed through bridged network namespaces in high-risk multi-tenant systems.
How to Mitigate CVE-2026-53266
Immediate Actions Required
- Apply the upstream kernel patches as soon as your distribution provides updated packages.
- Restrict CAP_NET_ADMIN to trusted administrators to prevent untrusted users from loading ebtables SNAT rules.
- If bridge ebtables ARP rewrite is not required, remove or avoid configuring ebt_snat rules with the ARP MAC option.
Patch Information
The issue is resolved by ensuring the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits(). Fix commits are available in the Linux stable tree:
- Kernel Git Commit 153ea96
- Kernel Git Commit 67ba971
- Kernel Git Commit 76280b7
- Kernel Git Commit afd64b5
- Kernel Git Commit b186752
- Kernel Git Commit b7e9193
- Kernel Git Commit bf84ad7
- Kernel Git Commit c9b5ff5
Workarounds
- Blacklist the ebt_snat module on systems that do not require ebtables SNAT functionality.
- Remove SNAT rules with the ARP MAC rewrite option (--snat-arp) from bridge ebtables tables until the patch is applied.
- Disable bridge netfilter (br_netfilter) where the broader feature set is not required by the workload.
# Configuration example: prevent ebt_snat from loading until patched
echo 'install ebt_snat /bin/true' | sudo tee /etc/modprobe.d/disable-ebt_snat.conf
sudo modprobe -r ebt_snat 2>/dev/null || true
# Remove existing ebtables SNAT rules with ARP MAC rewrite
sudo ebtables -t nat -L --Lc | grep -i 'snat.*--snat-arp'
# For each matching rule, delete it explicitly:
# sudo ebtables -t nat -D <chain> <rule-spec>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

