CVE-2026-53131
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-53131 NameCVE-2026-53131 Descriptionnetfilter: require Ethernet MAC header before using eth_hdr() SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus linuxβ¦
CVE-2026-53131
| Name | CVE-2026-53131 |
| Description | netfilter: require Ethernet MAC header before using eth_hdr() |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | vulnerable |
| bullseye (security) | 5.10.257-1 | vulnerable | |
| bookworm | 6.1.170-3 | vulnerable | |
| bookworm (security) | 6.1.174-1 | vulnerable | |
| trixie | 6.12.86-1 | vulnerable | |
| trixie (security) | 6.12.94-1 | fixed | |
| forky | 7.0.12-2 | vulnerable | |
| sid | 7.0.13-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | trixie | 6.12.94-1 | |||
| linux | source | (unstable) | 7.0.13-1 |
Notes
https://git.kernel.org/linus/62443dc21114c0bbc476fa62973db89743f2f137 (7.1-rc1)
Apply commands
https://git.kernel.org/linus/62443dc21114c0bbc476fa62973db89743f2f137 (7.1-rc1)OS impact
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.94-1 |
| sid | Fixed | 7.0.13-1 |
| forky | Affected | β |
| bullseye | Affected | β |
| bookworm | Affected | β |
References
- https://git.kernel.org/stable/c/4435888e1bf139d2bfe5911643d4217382136743
- https://git.kernel.org/stable/c/063f43361e884acd7300790e90194430275d0d0c
- https://git.kernel.org/stable/c/726abf97566867f808fec9d8a408eb9698bd570a
- https://git.kernel.org/stable/c/367abcacc13a8e2e7624408b7f593bd1e60e49d9
- https://git.kernel.org/stable/c/5d634afb8b83b49de562792fd0d047416a43bd4d
- https://git.kernel.org/stable/c/cea435ea7e868ea6fdf039bc4f2090c1d829b556
- https://git.kernel.org/stable/c/62443dc21114c0bbc476fa62973db89743f2f137
- https://security-tracker.debian.org/tracker/CVE-2026-53131
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.