netfilter: nf_queue: hold bridge skb->dev while queued_CVE-2026-52912

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_queue: hold bridge skb->dev while queued

br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
references on state.in/out and bridge physdevs, so a queued bridge
packet can retain a freed bridge master in skb->dev until reinjection.

When the verdict is reinjected later, br_netif_receive_skb() re-enters
the receive path with skb->dev still pointing at the freed bridge master,
triggering a use-after-free.

Store skb->dev in the queue entry, hold a reference on it for the queue
lifetime, and use the saved device when dropping queued packets during
NETDEV_DOWN handling.

Basic Information

ID CVE-2026-52912

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version ac28634456867b23b95faccba7997a62ec430603

Affected Versions Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux ac28634456867b23b95faccba7997a62ec430603
Linux Linux 4.7

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_queue: hold bridge skb->dev while queued\n\nbr_pass_frame_up() rewrites skb->dev from the ingress port to the bridge\nmaster before queueing bridge LOCAL_IN packets. NFQUEUE only holds\nreferences on state.in/out and bridge physdevs, so a queued bridge\npacket can retain a freed bridge master in skb->dev until reinjection.\n\nWhen the verdict is reinjected later, br_netif_receive_skb() re-enters\nthe receive path with skb->dev still pointing at the freed bridge master,\ntriggering a use-after-free.\n\nStore skb->dev in the queue entry, hold a reference on it for the queue\nlifetime, and use the saved device when dropping queued packets during\nNETDEV_DOWN handling.",
    "published": "2026-06-24T07:14:10.583Z",
    "modified": "2026-06-28T06:36:30.468Z",
    "type": "cve",
    "title": "netfilter: nf_queue: hold bridge skb->dev while queued",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/950d809f154dca04e5fbe5d3c8b9c5e44769cd57\nhttps://git.kernel.org/stable/c/a698ac8ab2561cf575d2d9f34095032651dd952e\nhttps://git.kernel.org/stable/c/19924bdd8a45ebc72a7b84c57fd63057d1dc75ac\nhttps://git.kernel.org/stable/c/1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be\nhttps://git.kernel.org/stable/c/3823c27099cfe2482299065814adbaa771be9644\nhttps://git.kernel.org/stable/c/15d464265120ab9818bd673af301deee09bedab2\nhttps://git.kernel.org/stable/c/3fb0f5c0f64162a8c3f25616a4f1e340b921737f\nhttps://git.kernel.org/stable/c/e196115ec330a18de415bdb9f5071aa9f08e53ce",
    "id": "CVE-2026-52912",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux ac28634456867b23b95faccba7997a62ec430603\nLinux Linux 4.7",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "ac28634456867b23b95faccba7997a62ec430603",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply