CVE-2026-52912

NONE EPSS 3.9%
Published Jun 24, 20266d ago · Modified Jun 24, 20266d ago
Find Similar
Published Jun 24, 2026 6d ago
Last Modified Jun 24, 2026 6d ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.

Threat Intelligence

EPSS Exploit Probability
3.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 8

  • git.kernel.org https://git.kernel.org/stable/c/15d464265120ab9818bd673af301deee09bedab2
  • git.kernel.org https://git.kernel.org/stable/c/19924bdd8a45ebc72a7b84c57fd63057d1dc75ac
  • git.kernel.org https://git.kernel.org/stable/c/1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be
  • git.kernel.org https://git.kernel.org/stable/c/3823c27099cfe2482299065814adbaa771be9644
  • git.kernel.org https://git.kernel.org/stable/c/3fb0f5c0f64162a8c3f25616a4f1e340b921737f
  • git.kernel.org https://git.kernel.org/stable/c/950d809f154dca04e5fbe5d3c8b9c5e44769cd57
  • git.kernel.org https://git.kernel.org/stable/c/a698ac8ab2561cf575d2d9f34095032651dd952e
  • git.kernel.org https://git.kernel.org/stable/c/e196115ec330a18de415bdb9f5071aa9f08e53ce

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.