The Linux kernel netfilter nf_queue module incorrectly holds a reference to the skb->dev pointer when queueing bridge LOCAL_IN packets. During packet forwarding, br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master, but NFQUEUE only manages state.in/out and bridge physdevs, allowing a queued packet to retain a pointer to a freed bridge master. When the packet is later reinjected, the receive path reenters with skb->dev still pointing to the freed bridge master, causing a use‑after‑free that can corrupt kernel memory and potentially allow an attacker to execute arbitrary code or gain elevated privileges. The vulnerability directly exposes a kernel data structure to an attacker and is a classic example of a use‑after‑free flaw.

Affected systems are Linux kernel builds that contain the nf_queue module before the patch that introduces a reference hold on skb->dev are likely vulnerable. Vendors and distributions shipping Linux kernels that have not yet applied the commit that fixes this issue will be impacted.

Use‑after‑free vulnerabilities in the kernel are considered high‑severity and present a serious risk for exploitation. The CVSS score is not provided, but the nature of the flaw indicates a high likelihood of successful exploitation if an attacker can force packet reinjection into the queue. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, which suggests it has not yet been observed in active exploitation. The likely attack vector is through crafted network traffic that is queued by nf_queue, which could be delivered either locally or remotely depending on the network topology.