CVE-2026-52927

HIGHPre-NVD 7.87.8
EchelonGraph scoreHIGH confidence

Score 7.8 from GitHub Security Advisory (severity: HIGH) published 2026-06-24. a secondary CVSS source baseline 7.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 4 sources updated this week
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ebtables: fix OOB read in compat_mtw_from_user

Luxiao Xu says:

The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size.

When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN.

This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets.

AFAIU this is relevant for matches that need to go though match->compat_from_user() call. Those that use plain memcpy with the user-provided size are ok because the caller checks that size vs the start of the next rule entry offset (which itself is checked vs. total size copied from userspace).

The ->compat_from_user() callbacks assume they can read compatsize bytes, so they need this extra check.

Based on an earlier patch from Luxiao Xu.

CVSS v3
7.8
EG Score
7.8(high)
EPSS
2.2%
KEV
Not listed

Published

June 24, 2026

Last Modified

June 28, 2026

Advisory Details (8)

Auto-updated Jun 28, 2026
No patch confirmed yet.
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fcc4c043d137e7f1de4673dba1f3116e45377c67
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/f438d1786d657d57790c5d138d6db3fc9fdac392
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/dad9ebf8107955bb54bd3f9cf22591b6ff37bac1
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/d7a8fb6f10d55a1c37b0bf8c20cca24dffd76e00
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/bf8e8eac7ede51dc318e06acef5a896dcbba7595
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/a27cb7325a6c69970041c7f8541fafed5a1ea3ec
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/7ad0e463fc7eafae2141cc38054264636f8b3e94
generic

netfilter: ebtables: fix OOB read in compat_mtw_from_user - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/21af4c030567d2e6c89bb927bc18b51fba52a400

Vendor Advisories for CVE-2026-52927(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 46× in last 7d / 62× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 01:38 UTCEG score recompute
  2. 2026-07-07 01:38 UTCVendor advisory
  3. 2026-07-07 01:38 UTCGHSA enrichment
  4. 2026-07-06 16:27 UTCEPSS rescore
  5. 2026-07-06 16:27 UTCEPSS rescore
  6. 2026-07-06 12:44 UTCEG score recompute
  7. 2026-07-06 12:44 UTCVendor advisory
  8. 2026-07-06 12:44 UTCGHSA enrichment
  9. 2026-07-06 02:23 UTCEPSS rescore
  10. 2026-07-06 02:23 UTCEPSS rescore
  11. 2026-07-05 23:49 UTCEG score recompute
  12. 2026-07-05 23:49 UTCVendor advisory
  13. 2026-07-05 23:49 UTCGHSA enrichment
  14. 2026-07-05 10:55 UTCEG score recompute
  15. 2026-07-05 10:55 UTCVendor advisory
  16. 2026-07-05 10:55 UTCGHSA enrichment
  17. 2026-07-05 02:30 UTCEPSS rescore
  18. 2026-07-04 22:00 UTCEG score recompute
  19. 2026-07-04 22:00 UTCVendor advisory
  20. 2026-07-04 22:00 UTCGHSA enrichment
  21. 2026-07-04 09:07 UTCEG score recompute
  22. 2026-07-04 09:07 UTCVendor advisory
  23. 2026-07-04 09:07 UTCGHSA enrichment
  24. 2026-07-03 20:14 UTCEG score recompute
  25. 2026-07-03 20:14 UTCVendor advisory
Show 37 more
  1. 2026-07-03 20:14 UTCGHSA enrichment
  2. 2026-07-03 07:21 UTCEG score recompute
  3. 2026-07-03 07:21 UTCVendor advisory
  4. 2026-07-03 07:21 UTCGHSA enrichment
  5. 2026-07-02 18:28 UTCEG score recompute
  6. 2026-07-02 18:28 UTCVendor advisory
  7. 2026-07-02 18:28 UTCGHSA enrichment
  8. 2026-07-02 05:35 UTCEG score recompute
  9. 2026-07-02 05:35 UTCVendor advisory
  10. 2026-07-02 05:35 UTCGHSA enrichment
  11. 2026-07-01 16:42 UTCEG score recompute
  12. 2026-07-01 16:42 UTCVendor advisory
  13. 2026-07-01 16:41 UTCGHSA enrichment
  14. 2026-07-01 15:07 UTCEPSS rescore
  15. 2026-07-01 03:48 UTCEG score recompute
  16. 2026-07-01 03:48 UTCVendor advisory
  17. 2026-07-01 03:48 UTCGHSA enrichment
  18. 2026-06-30 23:22 UTCEPSS rescore
  19. 2026-06-30 14:54 UTCEG score recompute
  20. 2026-06-30 14:54 UTCVendor advisory
  21. 2026-06-30 14:54 UTCGHSA enrichment
  22. 2026-06-30 01:57 UTCEG score recompute 7.80
  23. 2026-06-30 01:57 UTCVendor advisory
  24. 2026-06-30 01:57 UTCGHSA enrichment
  25. 2026-06-29 14:06 UTCEPSS rescore
  26. 2026-06-29 14:06 UTCEPSS rescore
  27. 2026-06-28 14:07 UTCEPSS rescore
  28. 2026-06-28 07:52 UTCMITRE cvelistV5CVSS v3 → 7.8 · severity → HIGH
  29. 2026-06-28 04:56 UTCEPSS rescore
  30. 2026-06-28 04:56 UTCEPSS rescore
  31. 2026-06-27 05:19 UTCEG score recompute
  32. 2026-06-27 05:19 UTCGHSA enrichment
  33. 2026-06-27 03:08 UTCEPSS rescore
  34. 2026-06-25 13:49 UTCEPSS rescore
  35. 2026-06-24 14:05 UTCEPSS rescore
  36. 2026-06-24 08:41 UTCEG score recompute
  37. 2026-06-24 08:40 UTCNVD updatefirst tracked

Frequently asked(5)

What is CVE-2026-52927?
CVE-2026-52927 is a high vulnerability published on June 24, 2026. In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix OOB read in compatmtwfrom_user Luxiao Xu says: The function compatmtwfrom_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of…
When was CVE-2026-52927 disclosed?
CVE-2026-52927 was first published in the National Vulnerability Database on June 24, 2026, with the most recent update on June 28, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-52927 actively exploited?
CVE-2026-52927 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 2.2% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-52927?
CVE-2026-52927 has a CVSS v3 base score of 7.8 (NVD).
How do I remediate CVE-2026-52927?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52927, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52927

Explore →

Is Your Infrastructure Affected by CVE-2026-52927?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.