{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-52912","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.366Z","datePublished":"2026-06-24T07:14:10.583Z","dateUpdated":"2026-06-28T06:36:30.468Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-28T06:36:30.468Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_queue: hold bridge skb->dev while queued\n\nbr_pass_frame_up() rewrites skb->dev from the ingress port to the bridge\nmaster before queueing bridge LOCAL_IN packets. NFQUEUE only holds\nreferences on state.in/out and bridge physdevs, so a queued bridge\npacket can retain a freed bridge master in skb->dev until reinjection.\n\nWhen the verdict is reinjected later, br_netif_receive_skb() re-enters\nthe receive path with skb->dev still pointing at the freed bridge master,\ntriggering a use-after-free.\n\nStore skb->dev in the queue entry, hold a reference on it for the queue\nlifetime, and use the saved device when dropping queued packets during\nNETDEV_DOWN handling."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/netfilter/nf_queue.h","net/netfilter/nf_queue.c","net/netfilter/nfnetlink_queue.c"],"versions":[{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"950d809f154dca04e5fbe5d3c8b9c5e44769cd57","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"a698ac8ab2561cf575d2d9f34095032651dd952e","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"19924bdd8a45ebc72a7b84c57fd63057d1dc75ac","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"3823c27099cfe2482299065814adbaa771be9644","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"15d464265120ab9818bd673af301deee09bedab2","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"3fb0f5c0f64162a8c3f25616a4f1e340b921737f","status":"affected","versionType":"git"},{"version":"ac28634456867b23b95faccba7997a62ec430603","lessThan":"e196115ec330a18de415bdb9f5071aa9f08e53ce","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/netfilter/nf_queue.h","net/netfilter/nf_queue.c","net/netfilter/nfnetlink_queue.c"],"versions":[{"version":"4.7","status":"affected"},{"version":"0","lessThan":"4.7","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.142","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.92","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.34","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.11","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.6.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.12.92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.18.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"7.0.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/950d809f154dca04e5fbe5d3c8b9c5e44769cd57"},{"url":"https://git.kernel.org/stable/c/a698ac8ab2561cf575d2d9f34095032651dd952e"},{"url":"https://git.kernel.org/stable/c/19924bdd8a45ebc72a7b84c57fd63057d1dc75ac"},{"url":"https://git.kernel.org/stable/c/1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be"},{"url":"https://git.kernel.org/stable/c/3823c27099cfe2482299065814adbaa771be9644"},{"url":"https://git.kernel.org/stable/c/15d464265120ab9818bd673af301deee09bedab2"},{"url":"https://git.kernel.org/stable/c/3fb0f5c0f64162a8c3f25616a4f1e340b921737f"},{"url":"https://git.kernel.org/stable/c/e196115ec330a18de415bdb9f5071aa9f08e53ce"}],"title":"netfilter: nf_queue: hold bridge skb->dev while queued","x_generator":{"engine":"bippy-1.2.0"}}}}