{"id":"CVE-2026-43451","summary":"netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: fix entry leak in bridge verdict error path\n\nnfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue\nentry from the queue data structures, taking ownership of the entry.\nFor PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN\nattributes.  If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN\npresent but NFQA_VLAN_TCI missing), the function returns immediately\nwithout freeing the dequeued entry or its sk_buff.\n\nThis leaks the nf_queue_entry, its associated sk_buff, and all held\nreferences (net_device refcounts, struct net refcount).  Repeated\ntriggering exhausts kernel memory.\n\nFix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict\non the error path, consistent with other error handling in this file.","modified":"2026-07-08T07:01:43.735343292Z","published":"2026-05-08T14:22:16.716Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43451.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275"},{"type":"WEB","url":"https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43451.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43451"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8d45ff22f1b43249f0cf1baafe0262ca10d1666e"},{"fixed":"a907bea273b60d3e604ec4e8e1f6c49954805794"},{"fixed":"0b18d1b834ab5a5009be70b530f978d7989e445b"},{"fixed":"b38d2b4603fd3dda24eb8b3dd81c18a0930be97b"},{"fixed":"47b1c5d1b0944aa88299f55a846fabaefc756982"},{"fixed":"cf4a4df38d1747e06fc54f9879bd7a6f4178032f"},{"fixed":"9853d94b82d303fc4ac37d592a23a154096ecd41"},{"fixed":"208669df703a25a601f45822b10c413f258bf275"},{"fixed":"f1ba83755d81c6fc66ac7acd723d238f974091e9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43451.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.7.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43451.json"}}],"schema_version":"1.7.5"}