KernelScan.io

HIGH

netfilter ebt_snat ARP Corruption

CVE-2026-53266

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

KernelScan AI6.2MEDIUM

01

In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: make ebt_snat ARP rewrite writable The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a. However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data: skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it. Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits().

02

Engine v0.3.0

Risk summary

An attacker (including an unprivileged local user via user namespaces) who can configure ebtables SNAT rules on a bridge can cause the kernel to write a MAC address directly into a read-only splice-imported file page when processing ARP packets. This corrupts file-backed memory or can trigger a kernel panic, leading to integrity violations or denial of service.

Affectednet/bridge/netfilter/ebt_snat.c (netfilter bridge SNAT)

Vulnerability analysis

The root cause is that the ebtables SNAT target in ebt_snat.c performs an ARP sender hardware address (SHA) rewrite via skb_store_bits() at offset sizeof(struct arphdr) relative to skb->data, without first ensuring that memory range is writable. The existing skb_ensure_writable(skb, 0) call only ensures the Ethernet header region is writable (intentionally passing 0 to avoid the small-packet regression from commit 63137bc5882a), but does not cover the ARP payload region. If the ARP SHA range resides in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps that page and writes the new MAC address directly into it, corrupting read-only file-backed memory or causing a page-fault panic. The fix adds skb_ensure_writable(skb, sizeof(_ah) + ETH_ALEN) before reading the ARP header and before calling skb_store_bits(), ensuring the ARP header plus SHA range is linearized and writable. On default kernels, an unprivileged user can create a user and network namespace to obtain CAP_NET_ADMIN and configure ebtables rules, making the attack path reachable without a true root shell.

03

BranchFixed inPatch commit
5.105.10.259afd64b59c3de
5.155.15.210153ea96c806a
5.45.5bf84ad7c7a9e
5.85.976280b78cc9f
5.95.10b7e91939ba9b
6.16.1.176b18675263db1
6.126.12.9467ba971ae025
6.186.18.36
6.66.6.143c9b5ff59feff
7.07.0.13
mainline7.1