CVE-2026-52912
Received Received - Intake
Use-After-Free in Linux Kernel Netfilter nf_queue

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52912
EUVD
EUVD-2026-38715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's networking code. Such a condition may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. This could compromise the security and reliability of systems running vulnerable Linux kernel versions, especially those using bridging and NFQUEUE features.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the nf_queue component. It involves how network packets are handled when they are bridged and queued for processing. The issue arises because the skb->dev field, which points to the network device associated with a packet, can be rewritten from the ingress port to the bridge master device before the packet is queued. However, NFQUEUE only holds references to certain devices, not the bridge master device itself. As a result, a queued packet can retain a reference to a bridge master device that has already been freed.

Later, when the packet verdict is reinjected, the kernel function br_netif_receive_skb() processes the packet with skb->dev still pointing to the freed bridge master device. This triggers a use-after-free condition, which is a type of memory error where the system accesses memory that has already been freed.

The fix involves storing skb->dev in the queue entry and holding a reference to it for the lifetime of the queue, ensuring the device is valid while the packet is queued and processed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart