Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53266

CVE-2026-53266: Linux Kernel Privilege Escalation Flaw

CVE-2026-53266 is a privilege escalation vulnerability in the Linux kernel's netfilter bridge component affecting ARP rewrite operations. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-53266 Overview

CVE-2026-53266 is a Linux kernel vulnerability in the netfilter bridge subsystem. The flaw exists in the ebt_snat target's optional ARP sender hardware address (SHA) rewrite path. The code calls skb_store_bits() to write into the socket buffer (skb) without first ensuring the target range is writable. When the ARP SHA range resides in a nonlinear skb fragment backed by a splice-imported file page, the write modifies the underlying page directly. This can corrupt memory belonging to unrelated kernel objects or user-space mappings. The issue has been resolved upstream by ensuring the ARP SHA range is writable before reading the ARP header and calling skb_store_bits().

Critical Impact

Improper writability checks in the ebtables SNAT ARP rewrite path allow modification of memory backing splice-imported file pages, leading to kernel memory corruption.

Affected Products

  • Linux kernel (mainline) — netfilter bridge ebt_snat target
  • Linux stable branches receiving the backported fix commits
  • Distributions shipping vulnerable kernel versions with bridge ebtables enabled

Discovery Timeline

  • 2026-06-25 - CVE-2026-53266 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53266

Vulnerability Analysis

The vulnerability is a kernel memory corruption issue [Kernel Vulnerability] in the bridge netfilter ebtables SNAT target. At the bridge ebtables hooks, the Ethernet header is reached through skb_mac_header() and eth_hdr(), while skb->data points at the Ethernet payload. The SNAT target deliberately uses skb_ensure_writable(skb, 0) to avoid checking the payload range, preserving the small-packet fix from commit 63137bc5882a.

The optional ARP sender hardware address rewrite, however, calls skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) at an offset relative to skb->data. The prior skb_header_pointer() call only ensures safe reading of the ARP header; it does not make the later SHA range writable. If that range remains held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and writes the new MAC address directly into shared memory.

Root Cause

The root cause is a missing writability guarantee before an in-place skb modification. skb_header_pointer() provides read-only safety, but the subsequent skb_store_bits() call requires the range to be linearized or cloned. Without that, the write operates on memory that may be shared with file-backed pages introduced via splice().

Attack Vector

A local attacker with capabilities to configure ebtables rules and craft packets traversing a bridge with the ebt_snat ARP rewrite option can trigger the unsafe write. The packet must carry an ARP payload held in a nonlinear skb fragment backed by a splice-imported file page. The result is unauthorized modification of memory outside the intended packet buffer.

No verified public exploit code is available. The vulnerability mechanism is documented in the upstream patch series referenced below. See Kernel Git Commit 153ea96 and Kernel Git Commit c9b5ff5 for the source-level fix.

Detection Methods for CVE-2026-53266

Indicators of Compromise

  • Unexpected kernel oops or memory corruption reports referencing ebt_snat, skb_store_bits, or bridge netfilter call paths.
  • Loaded ebtables rules using the SNAT target with the --snat-arp option on bridged interfaces.
  • Anomalous kernel page-fault or KASAN reports in netfilter bridge code paths after ARP traffic processing.

Detection Strategies

  • Inventory kernel versions across Linux fleet and flag hosts running unpatched releases that include the bridge netfilter ebt_snat module.
  • Audit running ebtables configurations for SNAT targets with ARP rewrite options enabled on bridged hosts.
  • Enable KASAN or KFENCE in test environments to surface unsafe writes in skb_store_bits() paths during bridge traffic testing.

Monitoring Recommendations

  • Monitor dmesg and kernel logs for warnings, oops messages, or KASAN reports involving ebt_snat_tg or skb_store_bits.
  • Track loading of the ebt_snat kernel module and changes to ebtables rules via auditd.
  • Alert on unprivileged processes invoking splice() against pages routed through bridged network namespaces in high-risk multi-tenant systems.

How to Mitigate CVE-2026-53266

Immediate Actions Required

  • Apply the upstream kernel patches as soon as your distribution provides updated packages.
  • Restrict CAP_NET_ADMIN to trusted administrators to prevent untrusted users from loading ebtables SNAT rules.
  • If bridge ebtables ARP rewrite is not required, remove or avoid configuring ebt_snat rules with the ARP MAC option.

Patch Information

The issue is resolved by ensuring the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits(). Fix commits are available in the Linux stable tree:

Workarounds

  • Blacklist the ebt_snat module on systems that do not require ebtables SNAT functionality.
  • Remove SNAT rules with the ARP MAC rewrite option (--snat-arp) from bridge ebtables tables until the patch is applied.
  • Disable bridge netfilter (br_netfilter) where the broader feature set is not required by the workload.
bash
# Configuration example: prevent ebt_snat from loading until patched
echo 'install ebt_snat /bin/true' | sudo tee /etc/modprobe.d/disable-ebt_snat.conf
sudo modprobe -r ebt_snat 2>/dev/null || true

# Remove existing ebtables SNAT rules with ARP MAC rewrite
sudo ebtables -t nat -L --Lc | grep -i 'snat.*--snat-arp'
# For each matching rule, delete it explicitly:
# sudo ebtables -t nat -D <chain> <rule-spec>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.