CVE-2026-53220

MEDIUM

netfilter: revalidate bridge ports

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject. A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan. If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path. Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact: Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off. Fixes tag is a common ancestor, this was always broken.

Scores

CVSS v3 5.5
EPSS 0.0013
EPSS Percentile 2.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (15)
linux/Kernel 2.6.36 - 6.12.94linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
Linux/Linux < 2.6.36
Linux/Linux 2.6.36
Linux/Linux 6.12.94 - 6.12.*
Linux/Linux 6.18.36 - 6.18.*
Linux/Linux 7.0.13 - 7.0.*
Linux/Linux 7.1
Linux/Linux f350a0a87374418635689471606454abc7beaa3a - 43330a1e8aace6b5a8de9aba127e9e394ab49b0f
... and 5 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026