In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.
| Vendor | Product | Versions |
|---|---|---|
| linux | linux kernel | ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, ac28634456867b23b95faccba7997a62ec430603, 4.7 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| linux | linux | mitre_affected | 90% |
| open source | open source linux kernel | cert_advisory | 90% |
Updated severity to CRITICAL, added affected version 7.0.10, and corrected exploit availability to false.
Updated description with more technical detail, added affected version 4.7, and changed severity to HIGH.
Initial creation
