Skip to main content

Linux Kernel CVE-2026-53220

| EUVDEUVD-2026-39311 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7q5m-qv9w-c8xx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack vector with no confidentiality or integrity impact; attacker controls both NFQUEUE timing and bridge port removal, making AC:L appropriate despite the race condition.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 23:01 vuln.today
CVSS changed
Jul 02, 2026 - 20:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: revalidate bridge ports

ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject.

A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan.

If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path.

Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact:

Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off.

Fixes tag is a common ancestor, this was always broken.

AnalysisAI

NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local access with CAP_NET_ADMIN
Delivery
Configure bridge with ebtables NFQUEUE redirect rule
Exploit
Send packet through bridge to queue it in NFQUEUE
Install
Remove or reassign bridge port while packet is queued
C2
Issue reinject verdict from NFQUEUE handler
Execute
NULL dereference in ebt_redirect_tg
Impact
Kernel panic and host crash

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: the Linux kernel must have bridge netfilter support compiled in (CONFIG_BRIDGE_NETFILTER or NETFILTER_FAMILY_BRIDGE enabled) and NFQUEUE support active (CONFIG_NETFILTER_NETLINK_QUEUE); an ebtables rule with the redirect target must be configured to queue packets via NFQUEUE in the bridge family; and the attacker must be able to both control a userspace NFQUEUE handler and remove or reassign bridge port membership - operations that typically require CAP_NET_ADMIN. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately characterizes this as a local, low-complexity denial-of-service with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with CAP_NET_ADMIN on a host using ebtables bridge filtering establishes an NFQUEUE handler and crafts an ebtables redirect rule that queues bridge traffic. The attacker sends a packet through the bridge to get it queued in NFQUEUE, then immediately removes the bridge port from the bridge while the packet is pending. …
Remediation Upgrade the Linux kernel to a patched stable release: 6.12.94, 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy