Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: revalidate bridge ports

ebt_redirect_tg() dereferences br_port_get_rcu() return without a
NULL check, causing a kernel panic when the bridge port has been
removed between the original hook invocation and an NFQUEUE
reinject.

A mere NULL check isn't sufficient, however. As sashiko review
points out userspace can not only remove the port from the bridge,
it could also place the device in a different virtual device, e.g.
macvlan.

If this happens, we must drop the packet, there is no way for us to
reinject it into the bridge path.

Switch to _upper API, we don't need the bridge port structure.
Also, this fix keeps another bug intact:

Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER
too aggressive, which prevents certain logging features when queueing
in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old
CONFIG_BRIDGE_NETFILTER cruft is off.

Fixes tag is a common ancestor, this was always broken.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the ebt_redirect_tg() function when a bridge port is removed or moved to another virtual device between the original hook invocation and the NFQUEUE reinjection. The function dereferences the return value of br_port_get_rcu() without performing a NULL check, resulting in a kernel panic that brings the entire system to a halt.

Affected Systems

All Linux kernel installations that load the netfilter bridge module and include the ebt_redirect_tg code path without the submitted patch are potentially affected. This includes every Linux distribution that ships the default kernel with CONFIG_BRIDGE_NETFILTER enabled and has not yet applied the fix.

Risk and Exploitability

The flaw requires the ability to modify bridge configuration or manipulate packet flow, an action typically reserved for privileged users. Once triggered, the kernel crash is guaranteed, leading to a denial‑of‑service condition but no privilege escalation or data exfiltration. The CVSS score of 5.5, while the EPSS score of <1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the disruptive nature of a kernel panic makes it a concern for environments where bridge netfilter is critical.

Generated by OpenCVE AI on June 26, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the null-pointer check fix in the ebt_redirect_tg function.
  • If a kernel update is not immediately available, disable the CONFIG_BRIDGE_NETFILTER option or stop using bridge netfilter until the vulnerability is patched.
  • Ensure proper locking and coordination for bridge port removal or device reassignment to avoid race conditions during traffic handling.

Generated by OpenCVE AI on June 26, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject. A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan. If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path. Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact: Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off. Fixes tag is a common ancestor, this was always broken.
Title netfilter: revalidate bridge ports
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:22.394Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53220

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53220 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:45:06Z

Weaknesses