Bug 2492285 (CVE-2026-53001)

Summary: CVE-2026-53001 kernel: netfilter: xtables: restrict several matches to inet family
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was identified in the Linux kernel's netfilter xtables component. This vulnerability allowed certain network filtering rules, specifically those involving `xt_mac`, `xt_owner`, `xt_physdev`, and `xt_realm` matches, to be applied outside of their intended internet protocol (IPv4 and IPv6) contexts. This could enable an attacker to bypass established network security policies, potentially leading to unauthorized network access or unintended packet processing.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-24 18:03:09 UTC
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xtables: restrict several matches to inet family

This is a partial revert of:

  commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")

to allow ipv4 and ipv6 only.

- xt_mac
- xt_owner
- xt_physdev

These extensions are not used by ebtables in userspace.

Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.

Comment 1 Mauro Matteo Cascella 2026-06-25 15:16:21 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062447-CVE-2026-53001-160e@gregkh/T