Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53267

CVE-2026-53267: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-53267 is a buffer overflow flaw in the Linux kernel's netfilter nft_ct module that can corrupt kernel stack memory. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-53267 Overview

CVE-2026-53267 is a Linux kernel vulnerability in the netfilter nft_ct module. The flaw allows a template conntrack (ct) object created by nft_ct_set_zone_eval() to be processed as a real conntrack by nft_ct_get_eval(). This mismatch triggers a 16-byte memcpy that can overflow struct nft_regs on the kernel stack when dreg is set to NFT_REG32_15. Smaller dreg values silently clobber adjacent registers. The issue was identified through analysis of a historic syzbot report and reproduced with a simple nftables ruleset combining ct zone set with ct original saddr matching.

Critical Impact

A local user with CAP_NET_ADMIN can craft an nftables rule sequence that corrupts the kernel stack, enabling potential local privilege escalation or denial of service.

Affected Products

  • Linux kernel netfilter subsystem (net/netfilter/nft_ct.c)
  • Distributions shipping vulnerable stable kernel branches prior to the fix commits
  • Systems with nftables and conntrack zone functionality enabled

Discovery Timeline

  • 2026-06-25 - CVE-2026-53267 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53267

Vulnerability Analysis

The vulnerability resides in the netfilter nft_ct expression handlers used by nftables for conntrack operations. When a rule applies ct zone set before another ct match in the same chain, the first expression calls nft_ct_set_zone_eval(), which allocates a per-CPU template conntrack via nf_ct_tmpl_alloc() using kzalloc. The template has a zero-initialized tuple and nf_ct_l3num(ct) == 0.

The subsequent nft_ct_get_eval() call on the same skb treats this template as a real conntrack entry. For attributes such as NFT_CT_SRC and NFT_CT_DST, the handler executes a 16-byte memcpy into the destination register. When dreg is NFT_REG32_15, the copy writes past struct nft_regs on the kernel stack, producing an out-of-bounds write [CWE-787]. With smaller dreg values, the write corrupts adjacent register slots used by later expressions.

Root Cause

The root cause is missing validation that the conntrack object passed to nft_ct_get_eval() and nft_ct_get_fast_eval() is not a template. The nft_ct_set_eval() function already contained this check, but the get-path handlers did not. Additionally, the address copy size was bounded by nf_ct_l3num(ct), an attacker-influenced field, rather than by the validated priv->len destination size.

Attack Vector

Local exploitation requires the ability to load nftables rules, typically CAP_NET_ADMIN within a user or network namespace. A minimal ruleset reproducing the issue attaches a template ct using ct zone set 1 followed by ct original saddr matching. Triggering packets through the prerouting hook drives the unchecked memcpy path, corrupting kernel stack registers and enabling control-flow or data-only attack primitives.

The vulnerability manifests in the conntrack template handling path within nft_ct.c. See the Linux kernel commit history for the authoritative patch details.

Detection Methods for CVE-2026-53267

Indicators of Compromise

  • Unexpected kernel oops or stack corruption warnings referencing nft_ct_get_eval or nft_do_chain in dmesg
  • KASAN reports flagging out-of-bounds writes within struct nft_regs during nftables evaluation
  • Loaded nftables rulesets combining ct zone set with subsequent ct match expressions in the same chain

Detection Strategies

  • Audit running kernel versions against the fixed commits referenced in the upstream stable tree
  • Inspect active nftables rulesets with nft list ruleset for chains that pair ct zone set with ct original or ct reply matches
  • Enable KASAN on test systems to surface the out-of-bounds write during fuzzing or rule validation

Monitoring Recommendations

  • Forward kernel logs to a centralized log platform and alert on BUG:, KASAN:, or general protection fault entries tied to netfilter symbols
  • Track creation of new network namespaces by unprivileged users, as namespace creation can grant CAP_NET_ADMIN for exploitation
  • Monitor nft and iptables-nft invocations on production hosts to detect unexpected rule loads

How to Mitigate CVE-2026-53267

Immediate Actions Required

  • Apply the upstream stable kernel patches referenced in the kernel.org commits as soon as distribution updates become available
  • Restrict CAP_NET_ADMIN on multi-tenant and container hosts to limit who can load nftables rules
  • Disable unprivileged user namespace creation where it is not required, using sysctl kernel.unprivileged_userns_clone=0 on supported distributions

Patch Information

The fix rejects template conntracks at the entry of nft_ct_get_eval() and nft_ct_get_fast_eval(), mirroring the existing check in nft_ct_set_eval(). It also bounds the NFT_CT_SRC and NFT_CT_DST address copy by priv->len rather than by nf_ct_l3num(ct), ensuring the copy size is governed by the validated destination register length. Patches landed across multiple stable branches: 2e154b5f53f1, 3027ecbdb5fd, 8470f676eade, af80f78ce984, and f071b0bf0781.

Workarounds

  • Remove nftables rules that combine ct zone set with subsequent ct get expressions in the same chain until patches are applied
  • Where feasible, switch affected chains to iptables-legacy or relocate ct zone set to a chain that does not perform ct get matching on the same packet
  • Enforce mandatory access controls (SELinux, AppArmor) to deny nft execution to non-administrative users
bash
# Configuration example: harden against local exploitation
sysctl -w kernel.unprivileged_userns_clone=0
sysctl -w kernel.dmesg_restrict=1
# Audit current nftables rulesets for the vulnerable pattern
nft list ruleset | grep -E 'ct (zone set|original|reply)'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.