CVE-2026-43100

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: guard local VLAN-0 FDB helpers against NULL vlan group<br /> <br /> When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and<br /> nbp_vlan_group() return NULL (br_private.h stub definitions). The<br /> BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and<br /> reaches br_fdb_delete_locals_per_vlan_port() and<br /> br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer<br /> is dereferenced via list_for_each_entry(v, &amp;vg-&gt;vlan_list, vlist).<br /> <br /> The observed crash is in the delete path, triggered when creating a<br /> bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0<br /> via RTM_NEWLINK. The insert helper has the same bug pattern.<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]<br /> RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310<br /> Call Trace:<br /> br_fdb_toggle_local_vlan_0+0x452/0x4c0<br /> br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276<br /> br_boolopt_toggle net/bridge/br.c:313<br /> br_boolopt_multi_toggle net/bridge/br.c:364<br /> br_changelink net/bridge/br_netlink.c:1542<br /> br_dev_newlink net/bridge/br_netlink.c:1575<br /> <br /> Add NULL checks for the vlan group pointer in both helpers, returning<br /> early when there are no VLANs to iterate. This matches the existing<br /> pattern used by other bridge FDB functions such as br_fdb_add() and<br /> br_fdb_delete().