CVE-2026-53220 Overview
CVE-2026-53220 is a null pointer dereference vulnerability in the Linux kernel's netfilter subsystem. The flaw resides in ebt_redirect_tg(), which dereferences the return value of br_port_get_rcu() without performing a NULL check. When a bridge port is removed between the original hook invocation and an NFQUEUE reinject, the kernel panics. A simple NULL check is insufficient because userspace can also move the device into a different virtual device such as macvlan, requiring the packet to be dropped entirely.
Critical Impact
Local users with network configuration privileges can trigger a kernel panic by removing or reassigning a bridge port during NFQUEUE packet reinjection, causing denial of service.
Affected Products
- Linux kernel (netfilter subsystem with CONFIG_BRIDGE_NETFILTER)
- Linux distributions shipping vulnerable stable kernels prior to the fix commits
- Systems using ebtablesredirect target with NFQUEUE userspace queueing
Discovery Timeline
- 2026-06-25 - CVE-2026-53220 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53220
Vulnerability Analysis
The vulnerability is a null pointer dereference [CWE-476] in the Linux kernel netfilter bridge code path. The ebt_redirect_tg() function implements the ebtables redirect target, which rewrites the destination MAC address of a frame to that of the bridge port the frame arrived on. To resolve the bridge port, the function calls br_port_get_rcu() and immediately dereferences the returned pointer.
When a packet is queued to userspace via NFQUEUE and later reinjected, the original ingress interface may no longer be a bridge port. Userspace controls the timing of the reinject and can race with bridge configuration changes. The bridge port may be removed, or the device may be enslaved to a different virtual interface such as macvlan before reinjection completes.
Root Cause
The root cause is twofold. First, ebt_redirect_tg() assumes that the input device remains a bridge port across the lifetime of a packet, an assumption that does not hold when packets are queued and reinjected asynchronously. Second, the original fix attempt of adding a NULL check failed to account for the case where the device has been moved into a non-bridge upper device. The corrected fix switches to the _upper API, which removes the dependency on the bridge port structure entirely and drops the packet when the device is no longer suitable for bridge reinjection.
Attack Vector
Exploitation requires local privileges to configure bridge interfaces and netfilter rules. An attacker with CAP_NET_ADMIN capability can configure an ebtables rule using the redirect target combined with an NFQUEUE rule, then race bridge port removal or device reassignment against NFQUEUE reinjection. The race window is reached by repeatedly removing the device from the bridge or moving it under a macvlan upper while NFQUEUE traffic is in flight. Successful exploitation panics the kernel, producing a denial-of-service condition on the host. Network code paths reachable from containers or unprivileged user namespaces with CAP_NET_ADMIN inside the namespace may extend the attack surface in some deployments.
The vulnerability mechanism is documented across the upstream stable commits. See the Kernel Git Commit 43330a1, Kernel Git Commit 4beffcd7, Kernel Git Commit ccb9fd4b, and Kernel Git Commit d4b1301f for the corrected code paths.
Detection Methods for CVE-2026-53220
Indicators of Compromise
- Kernel oops or panic messages referencing ebt_redirect_tg or br_port_get_rcu in the call stack.
- Unexpected host reboots or hangs on systems running ebtables rules with the redirect target alongside NFQUEUE userspace queueing.
- dmesg entries showing NULL pointer dereference at low virtual addresses within netfilter bridge code paths.
Detection Strategies
- Audit running kernel versions against the patched stable releases identified by the upstream commits.
- Inventory ebtables and nftables rulesets for use of the redirect target combined with NFQUEUE verdicts.
- Monitor kernel crash dumps and kdump output for stack traces involving the netfilter bridge module.
Monitoring Recommendations
- Forward kernel logs and crash artifacts to a centralized logging or SIEM platform for correlation across hosts.
- Alert on repeated kernel panics within short time windows, which may indicate active exploitation attempts.
- Track bridge port membership changes (netlink RTM_DELLINK, RTM_NEWLINK events) on hosts running netfilter queueing.
How to Mitigate CVE-2026-53220
Immediate Actions Required
- Apply the upstream Linux kernel stable updates that include the four referenced commits, then reboot affected hosts.
- Restrict CAP_NET_ADMIN and bridge configuration privileges to trusted administrators only.
- Review and remove unnecessary ebtables redirect rules combined with NFQUEUE on production hosts until the patch is deployed.
Patch Information
The fix replaces the use of br_port_get_rcu() with the netdevice _upper API in the netfilter bridge path. When the input device is no longer a bridge port, the packet is dropped rather than reinjected. The corrected behavior is implemented in commits 43330a1e, 4beffcd7, ccb9fd4b, and d4b1301f. Distribution vendors are rolling these changes into their stable kernel updates.
Workarounds
- Disable or unload the ebtablesredirect target on hosts where it is not required.
- Avoid combining ebtables redirect rules with NFQUEUE userspace reinjection until the patched kernel is deployed.
- Where feasible, set CONFIG_BRIDGE_NETFILTER=n in custom kernels that do not require bridge-level netfilter hooks.
# Identify ebtables rules using the redirect target
ebtables -t nat -L | grep -i redirect
# Remove a redirect rule (example, adjust to match your configuration)
ebtables -t nat -D PREROUTING -i eth0 -j redirect
# Verify running kernel version against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

