Impact
A null pointer dereference occurs in the ebt_redirect_tg() function when a bridge port is removed or moved to another virtual device between the original hook invocation and the NFQUEUE reinjection. The function dereferences the return value of br_port_get_rcu() without performing a NULL check, resulting in a kernel panic that brings the entire system to a halt.
Affected Systems
All Linux kernel installations that load the netfilter bridge module and include the ebt_redirect_tg code path without the submitted patch are potentially affected. This includes every Linux distribution that ships the default kernel with CONFIG_BRIDGE_NETFILTER enabled and has not yet applied the fix.
Risk and Exploitability
The flaw requires the ability to modify bridge configuration or manipulate packet flow, an action typically reserved for privileged users. Once triggered, the kernel crash is guaranteed, leading to a denial‑of‑service condition but no privilege escalation or data exfiltration. The CVSS score of 5.5, while the EPSS score of <1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the disruptive nature of a kernel panic makes it a concern for environments where bridge netfilter is critical.
OpenCVE Enrichment