Skip to main content

Linux Kernel CVE-2026-52912

| EUVDEUVD-2026-38715 HIGH
Use After Free (CWE-416)
2026-06-24 Linux GHSA-ffm7-9f73-pvmf
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local access with low privileges, but exploitation hinges on winning a queue-vs-teardown race and a non-default NFQUEUE-on-bridge config, so AC:H; kernel UAF gives full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 10:32 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_queue: hold bridge skb->dev while queued

br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection.

When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free.

Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.

AnalysisAI

Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privileged access
Delivery
Ensure bridge LOCAL_IN packet is queued via NFQUEUE
Exploit
Trigger bridge master teardown (NETDEV_DOWN)
Execution
Reinject verdict to re-enter receive path
Persist
Dereference freed bridge master (use-after-free)
Impact
Crash kernel or corrupt memory for escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires a Linux host configured with bridging AND netfilter NFQUEUE (nfnetlink_queue) rules that queue bridge LOCAL_IN packets for a userspace verdict - this is the exact non-default feature combination named in the description (br_pass_frame_up rewriting skb->dev to the bridge master before NFQUEUE handling). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host that bridges interfaces and uses NFQUEUE to hand bridge LOCAL_IN packets to a userspace verdict program, a low-privileged local user induces a packet to be queued and then races the destruction of the bridge master device. When the queued verdict is reinjected, the kernel dereferences the freed bridge master in skb->dev, causing a use-after-free that can crash the system or potentially be groomed into memory corruption. …
Remediation Apply your distribution's kernel update to a fixed stable release: Vendor-released patch versions include 5.10.259, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, and 7.1 (and later), which add reference counting on the stored bridge device. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct inventory of all Linux systems and identify which run vulnerable kernel versions; contact distribution vendors (RHEL, Ubuntu, Debian, etc.) regarding patch availability and timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy