{"id":"CVE-2026-52912","summary":"netfilter: nf_queue: hold bridge skb-\u003edev while queued","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_queue: hold bridge skb-\u003edev while queued\n\nbr_pass_frame_up() rewrites skb-\u003edev from the ingress port to the bridge\nmaster before queueing bridge LOCAL_IN packets. NFQUEUE only holds\nreferences on state.in/out and bridge physdevs, so a queued bridge\npacket can retain a freed bridge master in skb-\u003edev until reinjection.\n\nWhen the verdict is reinjected later, br_netif_receive_skb() re-enters\nthe receive path with skb-\u003edev still pointing at the freed bridge master,\ntriggering a use-after-free.\n\nStore skb-\u003edev in the queue entry, hold a reference on it for the queue\nlifetime, and use the saved device when dropping queued packets during\nNETDEV_DOWN handling.","modified":"2026-06-25T04:05:21.234090287Z","published":"2026-06-24T07:14:10.583Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52912.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/15d464265120ab9818bd673af301deee09bedab2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/19924bdd8a45ebc72a7b84c57fd63057d1dc75ac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3823c27099cfe2482299065814adbaa771be9644"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3fb0f5c0f64162a8c3f25616a4f1e340b921737f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/950d809f154dca04e5fbe5d3c8b9c5e44769cd57"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a698ac8ab2561cf575d2d9f34095032651dd952e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e196115ec330a18de415bdb9f5071aa9f08e53ce"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52912.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52912"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ac28634456867b23b95faccba7997a62ec430603"},{"fixed":"950d809f154dca04e5fbe5d3c8b9c5e44769cd57"},{"fixed":"a698ac8ab2561cf575d2d9f34095032651dd952e"},{"fixed":"19924bdd8a45ebc72a7b84c57fd63057d1dc75ac"},{"fixed":"1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be"},{"fixed":"3823c27099cfe2482299065814adbaa771be9644"},{"fixed":"15d464265120ab9818bd673af301deee09bedab2"},{"fixed":"3fb0f5c0f64162a8c3f25616a4f1e340b921737f"},{"fixed":"e196115ec330a18de415bdb9f5071aa9f08e53ce"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-52912.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.7.0"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.142"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.92"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.34"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-52912.json"}}],"schema_version":"1.7.5"}