Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access with low privileges, but exploitation hinges on winning a queue-vs-teardown race and a non-default NFQUEUE-on-bridge config, so AC:H; kernel UAF gives full C/I/A impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_queue: hold bridge skb->dev while queued
br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection.
When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free.
Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.
AnalysisAI
Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Linux host configured with bridging AND netfilter NFQUEUE (nfnetlink_queue) rules that queue bridge LOCAL_IN packets for a userspace verdict - this is the exact non-default feature combination named in the description (br_pass_frame_up rewriting skb->dev to the bridge master before NFQUEUE handling). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host that bridges interfaces and uses NFQUEUE to hand bridge LOCAL_IN packets to a userspace verdict program, a low-privileged local user induces a packet to be queued and then races the destruction of the bridge master device. When the queued verdict is reinjected, the kernel dereferences the freed bridge master in skb->dev, causing a use-after-free that can crash the system or potentially be groomed into memory corruption. … |
| Remediation | Apply your distribution's kernel update to a fixed stable release: Vendor-released patch versions include 5.10.259, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, and 7.1 (and later), which add reference counting on the stored bridge device. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct inventory of all Linux systems and identify which run vulnerable kernel versions; contact distribution vendors (RHEL, Ubuntu, Debian, etc.) regarding patch availability and timeline. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38715
GHSA-ffm7-9f73-pvmf