Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_queue: hold bridge skb->dev while queued

br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
references on state.in/out and bridge physdevs, so a queued bridge
packet can retain a freed bridge master in skb->dev until reinjection.

When the verdict is reinjected later, br_netif_receive_skb() re-enters
the receive path with skb->dev still pointing at the freed bridge master,
triggering a use-after-free.

Store skb->dev in the queue entry, hold a reference on it for the queue
lifetime, and use the saved device when dropping queued packets during
NETDEV_DOWN handling.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel netfilter nf_queue module incorrectly holds a reference to the skb->dev pointer when queueing bridge LOCAL_IN packets. During packet forwarding, br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master, but NFQUEUE only manages state.in/out and bridge physdevs, allowing a queued packet to retain a pointer to a freed bridge master. When the packet is later reinjected, the receive path reenters with skb->dev still pointing to the freed bridge master, causing a use‑after‑free that can corrupt kernel memory and potentially allow an attacker to execute arbitrary code or gain elevated privileges. This flaw exemplifies a use‑after‑free vulnerability and also involves CWE‑911, which relates to improper handling of resource state.

Affected Systems

Affected systems are Linux kernel builds that contain the nf_queue module before the patch that introduces a reference hold on skb->dev are likely vulnerable. Vendors and distributions shipping Linux kernels that have not yet applied the commit that fixes this issue will be impacted.

Risk and Exploitability

Use‑after‑free vulnerabilities in the kernel are considered high‑severity and present a serious risk for exploitation. The CVSS score is 7.8, indicating a high severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, which suggests it has not yet been observed in active exploitation. The likely attack vector is through crafted network traffic that is queued by nf_queue, which could be delivered either locally or remotely depending on the network topology.

Generated by OpenCVE AI on June 28, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the nf_queue fix.
  • If a kernel update is not immediately possible, unload or disable the nf_queue module or set CONFIG_NETFILTER_NFQUEUE to off.
  • Adjust bridge forwarding configuration to mitigate exposure—e.g., set sysctl net.bridge.bridge-nf-call-iptables to 0 for LOCAL_IN packets.
  • Monitor system logs (dmesg, journalctl) for signs of kernel corruption or use‑after‑free crashes.

Generated by OpenCVE AI on June 28, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.
Title netfilter: nf_queue: hold bridge skb->dev while queued
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:30.468Z

Reserved: 2026-06-09T07:44:35.366Z

Link: CVE-2026-52912

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52912 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count