CVE-2026-53220
Received Received - Intake
Kernel Panic in Linux Kernel via Bridge Port Dereference

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject. A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan. If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path. Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact: Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off. Fixes tag is a common ancestor, this was always broken.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53220
EUVD
EUVD-2026-39311
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved by changes in the Linux kernel related to netfilter bridge port handling. Immediate mitigation involves updating the Linux kernel to a version that includes the fix for this issue.

The fix involves switching to the _upper API to avoid reliance on the bridge port structure and properly handling packets when the bridge port is removed or moved to a different virtual device.

Since a simple NULL check is insufficient, the updated kernel drops packets that cannot be reinjected into the bridge path, preventing kernel panic.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter component related to bridge port handling. Specifically, the function ebt_redirect_tg() dereferences the result of br_port_get_rcu() without checking if it is NULL. This can cause a kernel panic if the bridge port is removed between the original hook invocation and an NFQUEUE reinjection.

A simple NULL check is not enough because userspace can remove the port from the bridge or move the device to a different virtual device like macvlan. In such cases, the packet must be dropped since reinjection into the bridge path is not possible.

The fix involves switching to the _upper API to avoid relying on the bridge port structure and addresses issues with aggressive use of CONFIG_BRIDGE_NETFILTER that affected logging features.

Impact Analysis

This vulnerability can cause a kernel panic, which leads to a system crash or denial of service. If an attacker or a misconfigured userspace process removes a bridge port or moves a device between virtual devices during packet processing, it can trigger this panic.

Such a kernel panic can disrupt network operations and potentially cause downtime or instability in systems relying on Linux kernel networking features.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart