CVE-2026-52912

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf queue: hold bridge skb->dev while queued

br pass frame up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection.

When the verdict is reinjected later, br netif receive skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free.

Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV DOWN handling.