Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.

This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.

Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel function nfqnl_recv_verdict() fails to clean up a dequeued NFQUEUE entry when parsing VLAN attributes encounters an error. This causes the nf_queue_entry, its sk_buff, and related reference counts to leak, and repeated triggering can exhaust kernel memory, leading to system instability or denial of service for local users. The vulnerability does not provide remote code execution or privilege escalation and is limited to a local denial‑of‑service impact, and it is a resource allocation and deallocation error (CWE-772).

Affected Systems

All Linux kernel builds that include the nfnetlink_queue subsystem are affected, including mainstream distributions that ship the latest stable kernel sources. Specific version information is not provided, so any host using a kernel that contains the unpatched NFQUEUE queue‑leak code is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 and an EPSS score of less than 1% indicate a very low probability of exploitation in the wild; the KEV catalog lists it as not observed. The attack is likely local, requiring the injection of packets with malformed VLAN attributes to trigger nfqueue processing. Repeated failures drain kernel memory, ultimately causing a denial‑of service. Although exploitation is not trivial, the absence of hardening measure leaves the vulnerability as a significant local resource exhaustion risk.

Generated by OpenCVE AI on May 9, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a build that includes the nfnetlink_queue memory‑leak fix, or merge the relevant commit from the upstream kernel repository.
  • Restart services that use nfnetlink_queue to ensure the updated code is in use and clear any stale resources.
  • Enable detailed kernel logging for the nfnetlink_queue subsystem and monitor system logs for repeat parse errors or memory growth, indicating a potential residual leak.

Generated by OpenCVE AI on May 9, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-772

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file.
Title netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:16.716Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43451

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:57.773

Modified: 2026-05-08T15:16:57.773

Link: CVE-2026-43451

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43451 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:30:37Z

Weaknesses