Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: revalidate bridge ports

ebt_redirect_tg() dereferences br_port_get_rcu() return without a
NULL check, causing a kernel panic when the bridge port has been
removed between the original hook invocation and an NFQUEUE
reinject.

A mere NULL check isn't sufficient, however. As sashiko review
points out userspace can not only remove the port from the bridge,
it could also place the device in a different virtual device, e.g.
macvlan.

If this happens, we must drop the packet, there is no way for us to
reinject it into the bridge path.

Switch to _upper API, we don't need the bridge port structure.
Also, this fix keeps another bug intact:

Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER
too aggressive, which prevents certain logging features when queueing
in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old
CONFIG_BRIDGE_NETFILTER cruft is off.

Fixes tag is a common ancestor, this was always broken.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null pointer dereference in the ebt_redirect_tg() function. is removed or moved between its original hook and an NFQUEUE re‑injection, the function receives a NULL pointer from br_port_get_rcu() and dereferences it. This results in a kernel panic, causing an immediate denial of service on the affected system. The flaw originates from an unchecked return value combined with a race condition that userspace can trigger by manipulating bridge ports or moving devices to virtual interfaces such as macvlan.

Affected Systems

Linux kernel systems that load the netfilter bridge module. The issue exists in all kernel releases that contain the ebt_redirect_tg() code path and do not yet include the submitted patch. No specific version range is listed, so any kernel that implements the netfilter bridge hook is potentially affected.

Risk and Exploitability

The condition requires the ability to control network packets or bridge configuration, typically available to local users with sudo or privileged processes. Once triggered, the kernel panic is guaranteed and provides no authentication bypass or data exfiltration. The CVSS score is not supplied; however, the EPSS score is unavailable and the vulnerability is not listed in CISA KEV, suggesting a low to moderate EPSS. Still, because the impact is complete denial of service with a crash, the risk remains high, especially in environments where bridge netfilter is enabled and manages traffic for critical services.

Generated by OpenCVE AI on June 25, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ebt_redirect_tg null‑check fix.
  • If an immediate kernel update is not possible, disable the CONFIG_BRIDGE_NETFILTER option or stop using the bridge netfilter family until the fix is applied.
  • Ensure that bridge port removal or device reassignment is coordinated with traffic flow or protected by proper locking to avoid race conditions.

Generated by OpenCVE AI on June 25, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject. A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan. If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path. Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact: Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off. Fixes tag is a common ancestor, this was always broken.
Title netfilter: revalidate bridge ports
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:22.394Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53220

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses