CVE-2026-43451
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff.
This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory.
Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in Linux kernel's nfnetlink_queue occurs when a bridge verdict error path fails to free a dequeued entry, allowing local attackers to exhaust kernel memory.
Vulnerability
In the Linux kernel's netfilter subsystem, the function nfqnl_recv_verdict() in nfnetlink_queue handles verdicts for queued packets. When processing a packet from a bridge (PF_BRIDGE), it calls find_dequeue_entry() to remove the entry from the queue, taking ownership. It then calls nfqa_parse_bridge() to parse VLAN attributes. If this parsing fails (e.g., NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its associated sk_buff. This leaks the nf_queue_entry, the socket buffer, and all held references (net_device refcounts, struct net refcount).
Exploitation
An attacker with local access or the ability to send crafted netfilter queue verdicts can repeatedly trigger this error path by supplying malformed bridge VLAN attributes. Each trigger leaks kernel memory, and repeated exploitation can exhaust available memory, leading to a denial of service. No authentication is required beyond the ability to interact with the nfnetlink_queue subsystem.
Impact
The vulnerability enables a local denial of service by exhausting kernel memory. There is no evidence of code execution or privilege escalation. The leak is confined to systems using nfnetlink_queue with bridge packets, which is common in firewall and network filtering setups.
Mitigation
The fix is included in the Linux kernel stable commit [1], which drops the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in the file. Users should apply the patch or update to a kernel version containing this commit. No workaround is documented.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445bnvd
- git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275nvd
- git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982nvd
- git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41nvd
- git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794nvd
- git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97bnvd
- git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032fnvd
- git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9nvd
News mentions
0No linked articles in our index yet.