CVE-2026-53014— net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-53014
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) — which is the NEXT device in the iteration, not the one being sent to. This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic. The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices. Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-53014
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-53014
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-53014 (3)
Other References for CVE-2026-53014 (1)
Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total
| CVE-2026-52980 | sched/fair: Clear rel_deadline when initializing forked entities | |
| CVE-2026-52993 | tipc: fix double-free in tipc_buf_append() | |
| CVE-2026-52991 | sched/psi: fix race between file release and pressure write | |
| CVE-2026-52990 | fsnotify: fix inode reference leak in fsnotify_recalc_mask() | |
| CVE-2026-52988 | netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase | |
| CVE-2026-52989 | nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers | |
| CVE-2026-52987 | drm/amdgpu: avoid double drm_exec_fini() in userq validate | |
| CVE-2026-52986 | netfilter: nf_conntrack_sip: don't use simple_strtoul | |
| CVE-2026-52985 | netdevsim: zero initialize struct iphdr in dummy sk_buff | |
| CVE-2026-52984 | net/sched: netem: fix queue limit check to include reordered packets | |
| CVE-2026-52982 | net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() | |
| CVE-2026-52983 | net: airoha: fix BQL imbalance in TX path | |
| CVE-2026-52981 | neigh: let neigh_xmit take skb ownership | |
| CVE-2026-52979 | net: psp: check for device unregister when creating assoc | |
| CVE-2026-52968 | KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic | |
| CVE-2026-52972 | crypto: af_alg - Cap AEAD AD length to 0x80000000 | |
| CVE-2026-52970 | netfilter: nft_ct: fix missing expect put in obj eval | |
| CVE-2026-52969 | KVM: Reject wrapped offset in kvm_reset_dirty_gfn() | |
| CVE-2026-52971 | net: ena: PHC: Fix potential use-after-free in get_timestamp | |
| CVE-2026-52967 | smb/client: fix possible infinite loop and oob read in symlink_data() |
Showing top 20 of 219 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-53014
No comments yet