Impact
The Linux kernel netfilter nf_queue module incorrectly holds a reference to the skb->dev pointer when queueing bridge LOCAL_IN packets. During packet forwarding, br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master, but NFQUEUE only manages state.in/out and bridge physdevs, allowing a queued packet to retain a pointer to a freed bridge master. When the packet is later reinjected, the receive path reenters with skb->dev still pointing to the freed bridge master, causing a use‑after‑free that can corrupt kernel memory and potentially allow an attacker to execute arbitrary code or gain elevated privileges. This flaw exemplifies a use‑after‑free vulnerability and also involves CWE‑911, which relates to improper handling of resource state.
Affected Systems
Affected systems are Linux kernel builds that contain the nf_queue module before the patch that introduces a reference hold on skb->dev are likely vulnerable. Vendors and distributions shipping Linux kernels that have not yet applied the commit that fixes this issue will be impacted.
Risk and Exploitability
Use‑after‑free vulnerabilities in the kernel are considered high‑severity and present a serious risk for exploitation. The CVSS score is 7.8, indicating a high severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, which suggests it has not yet been observed in active exploitation. The likely attack vector is through crafted network traffic that is queued by nf_queue, which could be delivered either locally or remotely depending on the network topology.
OpenCVE Enrichment
Debian DLA