netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43451
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-08 15:16:57 UTC
Updated2026-05-08 15:16:57 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file.

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.070210000 (date 2026-05-11)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e a907bea273b60d3e604ec4e8e1f6c49954805794 git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e 0b18d1b834ab5a5009be70b530f978d7989e445b git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e b38d2b4603fd3dda24eb8b3dd81c18a0930be97b git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e 47b1c5d1b0944aa88299f55a846fabaefc756982 git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e cf4a4df38d1747e06fc54f9879bd7a6f4178032f git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e 9853d94b82d303fc4ac37d592a23a154096ecd41 git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e 208669df703a25a601f45822b10c413f258bf275 git Not specified
CNA Linux Linux affected 8d45ff22f1b43249f0cf1baafe0262ca10d1666e f1ba83755d81c6fc66ac7acd723d238f974091e9 git Not specified
CNA Linux Linux affected 4.7 Not specified
CNA Linux Linux unaffected 4.7 semver Not specified
CNA Linux Linux unaffected 5.10.253 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.167 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.130 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.78 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.19 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.9 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report