From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 440593F0772 for ; Fri, 8 May 2026 14:26:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250377; cv=none; b=icAq2+uFWLDl6wWmWBln1dAuB6FPxoZ6fZDcOlTBP6n2ryS+W4UpMnntMBnudnv/iUHkfnzvPViPMw9273c+cGhC9NG3Y8dHd30v8uKki/UA0EeNfIHiLl/jmU+8Be63jNTgNesA4YU8t/BJxT7/i+CkzFC3aQ56htWjck2hEWM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250377; c=relaxed/simple; bh=hrlf8wlk6qTLt/CWEQxoet2YSOV2vL2isWYQ+ok95jI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=R+49XkO1ndEXCL+f6Q3kpJSBY/nx1BLIzSWy9mFRGsqtoE4z6kUIcz3FZk93Yk3liaaa7ZOg8jFnl5yQj8Tvvg2MODdI/q2jDVrp45L3JVuVMzQovPh9fMv5ptLjqjlPC1/+zqqr4iUSfNCbfOt6VISvMl2xx+lpq/yDAR4nXHE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=rVmu95No; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="rVmu95No" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0740C2BCB0; Fri, 8 May 2026 14:26:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250377; bh=hrlf8wlk6qTLt/CWEQxoet2YSOV2vL2isWYQ+ok95jI=; h=From:To:Cc:Subject:Date:Reply-To:From; b=rVmu95No9si/VCTPqDWleIiM3KSkVmsjLMQakCnHSbNsw54XYQTWAWMtS68RS/Ht8 7U/OqqBOvCGfEXrylqqTG/cNz0t+v+QsaeHHXJDIZyL4MclX/Uf+Vmlrn1tAjhdoNT uLH+j/3YQMaItSal0k9NCqyd5oidKbE3EF1fUbnA= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43451: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Date: Fri, 8 May 2026 16:23:00 +0200 Message-ID: <2026050857-CVE-2026-43451-1195@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3875; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=dYpG1pdP5BrT3ODgzYQV/yBOxxjZZ5UFs9TzkLeuPE4=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P7ZJiqbwds36sOKlZbX3u5uHtxi2Cf8w/sVz5zinv oPKPdP8jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIuUsM8/O/z07YqXC6zix8 jqLluoNfBBMTBBkWXI3hW7vj1NqWmxIck237A4R58u+9AQA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file. The Linux kernel CVE team has assigned CVE-2026-43451 to this issue. Affected and fixed versions =========================== Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 5.10.253 with commit a907bea273b60d3e604ec4e8e1f6c49954805794 Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 5.15.203 with commit 0b18d1b834ab5a5009be70b530f978d7989e445b Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.1.167 with commit b38d2b4603fd3dda24eb8b3dd81c18a0930be97b Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.6.130 with commit 47b1c5d1b0944aa88299f55a846fabaefc756982 Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.12.78 with commit cf4a4df38d1747e06fc54f9879bd7a6f4178032f Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.18.19 with commit 9853d94b82d303fc4ac37d592a23a154096ecd41 Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 6.19.9 with commit 208669df703a25a601f45822b10c413f258bf275 Issue introduced in 4.7 with commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e and fixed in 7.0 with commit f1ba83755d81c6fc66ac7acd723d238f974091e9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43451 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/netfilter/nfnetlink_queue.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794 https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982 https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41 https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275 https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9