VDB

CVE-2026-52912

CVE-2026-52912 PUBLISHED CVSS 7.8 HIGH

Reported by Linux · Published June 24, 2026

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.

EPSS 0.19% · 8.8th percentile

Risk Scores

CVSS 3.1
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.19%
8.8th percentile

Affected Products

VendorProductVersions
LinuxLinuxac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603
LinuxLinux4.7, 0, 5.10.259
linuxlinux_kernel4.7, 4.7, 4.7
LinuxLinuxac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603

Timeline

  • Jun 24, 2026 CVE Published
  • Jun 25, 2026 Coalition ESS Score
  • Jun 27, 2026 EPSS Score
  • Jun 28, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›