CVE-2026-52942: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-52942 is a memory disclosure vulnerability in the Linux kernel's netfilter nf_log module, specifically in the dump_mac_header() function within net/netfilter/nf_log_syslog.c. The flaw causes the kernel to read approximately 64 KiB out of bounds when processing packets with unset MAC headers, potentially exposing sensitive kernel memory contents in system logs. It affects Linux kernel versions from 2.6.36 onward, with fixes available in stable releases 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1+. The vulnerability was published on June 24, 2026, and carries a CVSS category estimate of Medium (GitHub Advisory).

The root cause is an out-of-bounds read (consistent with CWE-125) in dump_mac_header(), which guards MAC header access only with the condition skb->mac_header != skb->network_header, without calling skb_mac_header_was_set(). When the MAC header is unset, mac_header holds the sentinel value 0xffff, causing skb_mac_header(skb) to return skb->head + 0xffff — approximately 64 KiB past the actual buffer boundary — and the loop then reads dev->hard_header_len bytes out of bounds into the kernel log. This is reachable via nf_log_unknown_packet() → dump_mac_header() when an AF_PACKET socket sends a packet using PACKET_QDISC_BYPASS, which bypasses __dev_queue_xmit() (the function that would normally set the MAC header), leaving it unset at the netfilter egress hook. The fix adds the skb_mac_header_was_set() check already used by the ARPHRD_ETHER path and replaces open-coded header length tests with skb_mac_header_len() (GitHub Advisory).

Successful exploitation allows a local user with AF_PACKET socket access to cause the kernel to read and log kernel memory contents located approximately 64 KiB past the intended buffer boundary, constituting a sensitive kernel memory disclosure. This could expose cryptographic keys, pointers, or other privileged data present in kernel memory at the time of the read, potentially aiding in bypassing kernel ASLR or facilitating further privilege escalation. Integrity and availability are not directly impacted; the primary risk is confidentiality of kernel memory contents (GitHub Advisory).

1. Prerequisite: Obtain local access to a vulnerable Linux system (kernel 2.6.36 through the unpatched versions) with permission to create AF_PACKET sockets (requires CAP_NET_RAW capability or equivalent).
2. Enable netfilter logging: Ensure the nf_log_syslog module is loaded and a netfilter/nftables rule is configured to log packets on the egress netdev hook (e.g., using nft add rule netdev filter egress log).
3. Craft a raw packet: Open an AF_PACKET socket with SOCK_RAW and set the PACKET_QDISC_BYPASS socket option to bypass the normal __dev_queue_xmit() path, which would otherwise set the MAC header.
4. Send the packet: Transmit a crafted packet via sendto() targeting a network interface. Because PACKET_QDISC_BYPASS skips MAC header initialization, skb->mac_header remains 0xffff.
5. Trigger out-of-bounds read: The packet reaches the netfilter egress hook; nf_log_unknown_packet() calls dump_mac_header() unconditionally, which reads dev->hard_header_len bytes from skb->head + 0xffff (~64 KiB past the buffer) and writes them to the kernel log.
6. Extract disclosed memory: Read the kernel log (e.g., via dmesg or /var/log/kern.log) to retrieve the out-of-bounds kernel memory contents for further analysis (GitHub Advisory).

• Logs: KASAN reports in kernel logs matching BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831) with a call trace including nf_log_netdev_packet, nf_log_packet, nft_log_eval, and packet_sendmsg.
• Logs: Kernel log entries showing reads at addresses approximately 0xffff bytes past a known slab buffer base, or unusual MAC header data appearing in netfilter log output.
• Process: A process (e.g., named exploit) appearing in the KASAN report as the task triggering the out-of-bounds read via __sys_sendto.
• Network: Unusual raw AF_PACKET socket activity on network interfaces, particularly with PACKET_QDISC_BYPASS enabled, from non-privileged or unexpected processes.
• System: Unexpected loading of the nf_log_syslog kernel module combined with new nftables/iptables logging rules on netdev egress hooks (GitHub Advisory).

Apply the available kernel patches for the respective stable branches: 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1+. The fix commits are available at the kernel stable git repository (e.g., d704ee9c7bc6, befb8968a2ab, 8a81e336da68, c38d41134085, af1b7699466f, 65ef7397eb9a, a84b6fedbc97). If immediate patching is not possible, restrict AF_PACKET socket creation to trusted users by limiting CAP_NET_RAW capability, or unload/disable the nf_log_syslog module if netfilter packet logging is not required (GitHub Advisory).

The vulnerability received routine automated coverage from CVE tracking services and aggregators (Vulners, VulDB, CVEfeed, CIRCL) shortly after publication on June 24, 2026. Social media activity was limited to automated CVE notification accounts on Bluesky and Nitter. No notable independent researcher commentary or vendor statements beyond the kernel patch itself have been identified (GitHub Advisory).