CVE-2026-45913
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: bridge: mcast: always update mdb_n_entries for vlan contexts<br />
<br />
syzbot triggered a warning[1] about the number of mdb entries in a context.<br />
It turned out that there are multiple ways to trigger that warning today<br />
(some got added during the years), the root cause of the problem is that<br />
the increase is done conditionally, and over the years these different<br />
conditions increased so there were new ways to trigger the warning, that is<br />
to do a decrease which wasn&#39;t paired with a previous increase.<br />
<br />
For example one way to trigger it is with flush:<br />
$ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1<br />
$ ip l add dumdum up master br0 type dummy<br />
$ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1<br />
$ ip link set dev br0 down<br />
$ ip link set dev br0 type bridge mcast_vlan_snooping 1<br />
^^^^ this will enable snooping, but will not update mdb_n_entries<br />
because in __br_multicast_enable_port_ctx() we check !netif_running<br />
$ bridge mdb flush dev br0<br />
^^^ this will trigger the warning because it will delete the pg which<br />
we added above, which will try to decrease mdb_n_entries<br />
<br />
Fix the problem by removing the conditional increase and always keep the<br />
count up-to-date while the vlan exists. In order to do that we have to<br />
first initialize it on port-vlan context creation, and then always increase<br />
or decrease the value regardless of mcast options. To keep the current<br />
behaviour we have to enforce the mdb limit only if the context is port&#39;s or<br />
if the port-vlan&#39;s mcast snooping is enabled.<br />
<br />
[1]<br />
------------[ cut here ]------------<br />
n == 0<br />
WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline], CPU#0: syz.4.4607/22043<br />
WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline], CPU#0: syz.4.4607/22043<br />
WARNING: net/bridge/br_multicast.c:718 at br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825, CPU#0: syz.4.4607/22043<br />
Modules linked in:<br />
CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full)<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026<br />
RIP: 0010:br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline]<br />
RIP: 0010:br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline]<br />
RIP: 0010:br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825<br />
Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b<br />
RSP: 0018:ffffc9000c207220 EFLAGS: 00010293<br />
RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000<br />
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br />
RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c<br />
R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800<br />
R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238<br />
FS: 00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0<br />
Call Trace:<br />
<br />
br_mdb_flush_pgs net/bridge/br_mdb.c:1525 [inline]<br />
br_mdb_flush net/bridge/br_mdb.c:1544 [inline]<br />
br_mdb_del_bulk+0x5e2/0xb20 net/bridge/br_mdb.c:1561<br />
rtnl_mdb_del+0x48a/0x640 net/core/rtnetlink.c:-1<br />
rtnetlink_rcv_msg+0x77e/0xbe0 net/core/rtnetlink.c:6967<br />
netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]<br />
netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344<br />
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894<br />
sock_sendmsg_nosec net/socket.c:727 [inline]<br />
__sock_sendmsg net/socket.c:742 [inline]<br />
____sys_sendmsg+0xa68/0xad0 net/socket.c:2592<br />
___sys_sendmsg+0x2a5/0x360 net/socke<br />
---truncated---
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3 (incluyendo) | 6.6.128 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/45525fdfd4cb612d7b414dd5cfa1f43892a7cd71
- https://git.kernel.org/stable/c/724a405ce0309676f1e993c173382b4c4a022beb
- https://git.kernel.org/stable/c/8b769e311a86bb9d15c5658ad283b86fc8f080a2
- https://git.kernel.org/stable/c/d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce
- https://git.kernel.org/stable/c/fae260fc84e1eae8f590c7907e53e8768df2d986



