Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local attack vector with no confidentiality or integrity impact; attacker controls both NFQUEUE timing and bridge port removal, making AC:L appropriate despite the race condition.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
netfilter: revalidate bridge ports
ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject.
A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan.
If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path.
Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact:
Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off.
Fixes tag is a common ancestor, this was always broken.
AnalysisAI
NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: the Linux kernel must have bridge netfilter support compiled in (CONFIG_BRIDGE_NETFILTER or NETFILTER_FAMILY_BRIDGE enabled) and NFQUEUE support active (CONFIG_NETFILTER_NETLINK_QUEUE); an ebtables rule with the redirect target must be configured to queue packets via NFQUEUE in the bridge family; and the attacker must be able to both control a userspace NFQUEUE handler and remove or reassign bridge port membership - operations that typically require CAP_NET_ADMIN. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately characterizes this as a local, low-complexity denial-of-service with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with CAP_NET_ADMIN on a host using ebtables bridge filtering establishes an NFQUEUE handler and crafts an ebtables redirect rule that queues bridge traffic. The attacker sends a packet through the bridge to get it queued in NFQUEUE, then immediately removes the bridge port from the bridge while the packet is pending. … |
| Remediation | Upgrade the Linux kernel to a patched stable release: 6.12.94, 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39311
GHSA-7q5m-qv9w-c8xx