Time-of-check Time-of-use (TOCTOU) Race Condition in Linux kernel - #VU135567
Published: June 26, 2026
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state validation in nfqnl_reinject() in net/netfilter/nfnetlink_queue.c when reinjecting queued bridge packets after bridge port membership changes. A local user can remove a bridge port from the bridge while a packet is queued to cause a denial of service.
The queued skb leaves RCU protection, and the advisory notes that rx_handler_data could point to data that is not a net_bridge_port structure at reinjection time.