CVE-2026-43451: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes.  If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.

This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount).  Repeated
triggering exhausts kernel memory.

Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.

The Linux kernel CVE team has assigned CVE-2026-43451 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 5.10.253 with commit a907bea273b60d3e604ec4e8e1f6c49954805794
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 5.15.203 with commit 0b18d1b834ab5a5009be70b530f978d7989e445b
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.1.167 with commit b38d2b4603fd3dda24eb8b3dd81c18a0930be97b
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.6.130 with commit 47b1c5d1b0944aa88299f55a846fabaefc756982
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.12.78 with commit cf4a4df38d1747e06fc54f9879bd7a6f4178032f
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.18.19 with commit 9853d94b82d303fc4ac37d592a23a154096ecd41
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.19.9 with commit 208669df703a25a601f45822b10c413f258bf275
	Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 7.0 with commit f1ba83755d81c6fc66ac7acd723d238f974091e9

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43451
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/netfilter/nfnetlink_queue.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794
	https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b
	https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b
	https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982
	https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f
	https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41
	https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275
	https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9