Bug 2468239 (CVE-2026-43451) - CVE-2026-43451 kernel: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
Summary: CVE-2026-43451 kernel: netfilter: nfnetlink_queue: fix entry leak in bridge v...
Keywords:
Status: NEW
Alias: CVE-2026-43451
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-08 15:06 UTC by OSIDB Bzimport
Modified: 2026-05-09 00:38 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-08 15:06:28 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes.  If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.

This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount).  Repeated
triggering exhausts kernel memory.

Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Comment 1 Keith Grant 2026-05-09 00:34:57 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050857-CVE-2026-43451-1195@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.