CVE-2026-52912
- Source
- https://cve.org/CVERecord?id=CVE-2026-52912
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-52912.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-52912
- Downstream
- Published
- 2026-06-24T07:14:10.583Z
- Modified
- 2026-06-25T04:05:21.234090287Z
- Summary
- netfilter: nf_queue: hold bridge skb->dev while queued
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_queue: hold bridge skb->dev while queued
brpassframeup() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCALIN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection.
When the verdict is reinjected later, brnetifreceive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free.
Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52912.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/15d464265120ab9818bd673af301deee09bedab2
- https://git.kernel.org/stable/c/19924bdd8a45ebc72a7b84c57fd63057d1dc75ac
- https://git.kernel.org/stable/c/1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be
- https://git.kernel.org/stable/c/3823c27099cfe2482299065814adbaa771be9644
- https://git.kernel.org/stable/c/3fb0f5c0f64162a8c3f25616a4f1e340b921737f
- https://git.kernel.org/stable/c/950d809f154dca04e5fbe5d3c8b9c5e44769cd57
- https://git.kernel.org/stable/c/a698ac8ab2561cf575d2d9f34095032651dd952e
- https://git.kernel.org/stable/c/e196115ec330a18de415bdb9f5071aa9f08e53ce
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52912.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-52912
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedac28634456867b23b95faccba7997a62ec430603Fixed950d809f154dca04e5fbe5d3c8b9c5e44769cd57Fixeda698ac8ab2561cf575d2d9f34095032651dd952eFixed19924bdd8a45ebc72a7b84c57fd63057d1dc75acFixed1e5e20031c5eee8d2e490a90ff4d6a2feecfc3beFixed3823c27099cfe2482299065814adbaa771be9644Fixed15d464265120ab9818bd673af301deee09bedab2Fixed3fb0f5c0f64162a8c3f25616a4f1e340b921737fFixede196115ec330a18de415bdb9f5071aa9f08e53ce
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.7.0Fixed5.10.259
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.209
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.175
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.142
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.92
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.34
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed7.0.11