NULL Pointer Dereference Affecting linux-qemu-6.12 package, versions <6.12.95-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.13% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-LINUXQEMU612-17891180
  • published8 Jul 2026
  • disclosed25 Jun 2026

Introduced: 25 Jun 2026

NewCVE-2026-53220  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Chainguard linux-qemu-6.12 to version 6.12.95-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream linux-qemu-6.12 package and not the linux-qemu-6.12 package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

netfilter: revalidate bridge ports

ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject.

A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan.

If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path.

Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact:

Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off.

Fixes tag is a common ancestor, this was always broken.

CVSS Base Scores

version 3.1