In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir

In tcf_blockcast_redir(), when iterating block ports to redirect
packets to multiple devices, the mac_header_xmit flag is queried
from the wrong device. The loop sends to dev_prev but queries
dev_is_mac_header_xmit(dev) — which is the NEXT device in the
iteration, not the one being sent to.

This causes tcf_mirred_to_dev() to make incorrect decisions about
whether to push or pull the MAC header. When the block contains
mixed device types (e.g., an ethernet veth and a tunnel device),
intermediate devices get the wrong mac_header_xmit flag, leading to
skb header corruption. In the worst case, skb_push_rcsum with an
incorrect mac_len can exhaust headroom and panic.

The last device in the loop is handled correctly (line 365-366 uses
dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste
oversight for the intermediate devices.

Fix by using dev_prev instead of dev for the mac_header_xmit query,
consistent with the device actually being sent to.

https://git.kernel.org/stable/c/4510d140524ca7d6e772db962e013f26f09a63b1

https://git.kernel.org/stable/c/4764953c4b47585eb72797b216b63a831dc0c7e6

https://git.kernel.org/stable/c/7db3e4e03032261b1b519341123fc30d995478ca

https://git.kernel.org/stable/c/8fda5174286119addd28473fb2ec5bdf521c05a8

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/sched/act_mirred.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"42f39036cda808d3de243192a2cf5125f12f3047","lessThan":"8fda5174286119addd28473fb2ec5bdf521c05a8","versionType":"git","status":"affected"},{"version":"42f39036cda808d3de243192a2cf5125f12f3047","lessThan":"7db3e4e03032261b1b519341123fc30d995478ca","versionType":"git","status":"affected"},{"version":"42f39036cda808d3de243192a2cf5125f12f3047","lessThan":"4764953c4b47585eb72797b216b63a831dc0c7e6","versionType":"git","status":"affected"},{"version":"42f39036cda808d3de243192a2cf5125f12f3047","lessThan":"4510d140524ca7d6e772db962e013f26f09a63b1","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/sched/act_mirred.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]