{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5"
            },
            {
              "fixed": "af80f78ce984649e1698b841cd33f4fa505ad828"
            },
            {
              "fixed": "8470f676eadeab99132708acb1a85915664d6115"
            },
            {
              "fixed": "f071b0bf078146368d18e4eec386bf2ddc0ab7e0"
            },
            {
              "fixed": "2e154b5f53f1b0b490c7b8b02499f90feb86b1d5"
            },
            {
              "fixed": "3027ecbdb5fdf9200251c21d4818e4c447ef78e1"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "6.6.143"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.94"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.36"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53267.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: bail out on template ct in get eval\n\nI noticed this issue while looking at a historic syzbot report [1].\n\nA rule like the one below is enough to trigger the bug:\n\n    table ip t {\n        chain pre {\n            type filter hook prerouting priority raw;\n            ct zone set 1\n            ct original saddr 1.2.3.4 accept\n        }\n    }\n\nThe first expression attaches a per-cpu template ct via\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -\u003e kzalloc, tuple is all\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\nnft_ct_get_eval() on the same skb, treats the template as a real ct\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\noverflows past struct nft_regs on the kernel stack; with smaller\ndreg values it silently clobbers adjacent registers.\n\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\nmirroring the check nft_ct_set_eval() already has. Additionally,\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv-\u003elen\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\nbytes, so the trailing bytes of tuple-\u003e{src,dst}.u3.all are\nwell-defined zero. priv-\u003elen is validated at rule load, so the\ncopy size is now bounded by the destination register rather than\nby an untrusted field on the conntrack.\n\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c",
  "id": "CVE-2026-53267",
  "modified": "2026-07-09T03:51:44.011471294Z",
  "published": "2026-06-25T08:39:53.852Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53267.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53267"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "netfilter: nft_ct: bail out on template ct in get eval"
}