CVE-2026-52912 | In the Linux kernel, the following vulnerability has been re…

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.

Metadata

CVE ID: CVE-2026-52912
State: PUBLISHED
Assigner: Linux
Reserved: 2026-06-09 07:44 UTC
Published: 2026-06-24 07:14 UTC
Last updated: 2026-06-24 07:14 UTC
Vendor / Product: Linux / Linux
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (2)

Vendor	Product	Platform	Versions
Linux	Linux	—	ac28634456867b23b95faccba7997a62ec430603 < 950d809f154dca04e5fbe5d3c8b9c5e44769cd57, ac28634456867b23b95faccba7997a62ec430603 < a698ac8ab2561cf575d2d9f34095032651dd952e, ac28634456867b23b95faccba7997a62ec430603 < 19924bdd8a45ebc72a7b84c57fd63057d1dc75ac, ac28634456867b23b95faccba7997a62ec430603 < 1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be …
Linux	Linux	—	4.7, 0 < 4.7, 5.10.259 ≤ 5.10., 5.15.209 ≤ 5.15. …

References (8)