CVE-2026-53267 Overview
CVE-2026-53267 is a Linux kernel vulnerability in the netfilter nft_ct module. The flaw allows a template conntrack (ct) object created by nft_ct_set_zone_eval() to be processed as a real conntrack by nft_ct_get_eval(). This mismatch triggers a 16-byte memcpy that can overflow struct nft_regs on the kernel stack when dreg is set to NFT_REG32_15. Smaller dreg values silently clobber adjacent registers. The issue was identified through analysis of a historic syzbot report and reproduced with a simple nftables ruleset combining ct zone set with ct original saddr matching.
Critical Impact
A local user with CAP_NET_ADMIN can craft an nftables rule sequence that corrupts the kernel stack, enabling potential local privilege escalation or denial of service.
Affected Products
- Linux kernel netfilter subsystem (net/netfilter/nft_ct.c)
- Distributions shipping vulnerable stable kernel branches prior to the fix commits
- Systems with nftables and conntrack zone functionality enabled
Discovery Timeline
- 2026-06-25 - CVE-2026-53267 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53267
Vulnerability Analysis
The vulnerability resides in the netfilter nft_ct expression handlers used by nftables for conntrack operations. When a rule applies ct zone set before another ct match in the same chain, the first expression calls nft_ct_set_zone_eval(), which allocates a per-CPU template conntrack via nf_ct_tmpl_alloc() using kzalloc. The template has a zero-initialized tuple and nf_ct_l3num(ct) == 0.
The subsequent nft_ct_get_eval() call on the same skb treats this template as a real conntrack entry. For attributes such as NFT_CT_SRC and NFT_CT_DST, the handler executes a 16-byte memcpy into the destination register. When dreg is NFT_REG32_15, the copy writes past struct nft_regs on the kernel stack, producing an out-of-bounds write [CWE-787]. With smaller dreg values, the write corrupts adjacent register slots used by later expressions.
Root Cause
The root cause is missing validation that the conntrack object passed to nft_ct_get_eval() and nft_ct_get_fast_eval() is not a template. The nft_ct_set_eval() function already contained this check, but the get-path handlers did not. Additionally, the address copy size was bounded by nf_ct_l3num(ct), an attacker-influenced field, rather than by the validated priv->len destination size.
Attack Vector
Local exploitation requires the ability to load nftables rules, typically CAP_NET_ADMIN within a user or network namespace. A minimal ruleset reproducing the issue attaches a template ct using ct zone set 1 followed by ct original saddr matching. Triggering packets through the prerouting hook drives the unchecked memcpy path, corrupting kernel stack registers and enabling control-flow or data-only attack primitives.
The vulnerability manifests in the conntrack template handling path within nft_ct.c. See the Linux kernel commit history for the authoritative patch details.
Detection Methods for CVE-2026-53267
Indicators of Compromise
- Unexpected kernel oops or stack corruption warnings referencing nft_ct_get_eval or nft_do_chain in dmesg
- KASAN reports flagging out-of-bounds writes within struct nft_regs during nftables evaluation
- Loaded nftables rulesets combining ct zone set with subsequent ct match expressions in the same chain
Detection Strategies
- Audit running kernel versions against the fixed commits referenced in the upstream stable tree
- Inspect active nftables rulesets with nft list ruleset for chains that pair ct zone set with ct original or ct reply matches
- Enable KASAN on test systems to surface the out-of-bounds write during fuzzing or rule validation
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on BUG:, KASAN:, or general protection fault entries tied to netfilter symbols
- Track creation of new network namespaces by unprivileged users, as namespace creation can grant CAP_NET_ADMIN for exploitation
- Monitor nft and iptables-nft invocations on production hosts to detect unexpected rule loads
How to Mitigate CVE-2026-53267
Immediate Actions Required
- Apply the upstream stable kernel patches referenced in the kernel.org commits as soon as distribution updates become available
- Restrict CAP_NET_ADMIN on multi-tenant and container hosts to limit who can load nftables rules
- Disable unprivileged user namespace creation where it is not required, using sysctl kernel.unprivileged_userns_clone=0 on supported distributions
Patch Information
The fix rejects template conntracks at the entry of nft_ct_get_eval() and nft_ct_get_fast_eval(), mirroring the existing check in nft_ct_set_eval(). It also bounds the NFT_CT_SRC and NFT_CT_DST address copy by priv->len rather than by nf_ct_l3num(ct), ensuring the copy size is governed by the validated destination register length. Patches landed across multiple stable branches: 2e154b5f53f1, 3027ecbdb5fd, 8470f676eade, af80f78ce984, and f071b0bf0781.
Workarounds
- Remove nftables rules that combine ct zone set with subsequent ct get expressions in the same chain until patches are applied
- Where feasible, switch affected chains to iptables-legacy or relocate ct zone set to a chain that does not perform ct get matching on the same packet
- Enforce mandatory access controls (SELinux, AppArmor) to deny nft execution to non-administrative users
# Configuration example: harden against local exploitation
sysctl -w kernel.unprivileged_userns_clone=0
sysctl -w kernel.dmesg_restrict=1
# Audit current nftables rulesets for the vulnerable pattern
nft list ruleset | grep -E 'ct (zone set|original|reply)'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

