Description
In the Linux kernel, the following vulnerability has been resolved:

bridge: mrp: reject zero test interval to avoid OOM panic

br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied
interval value from netlink without validation. When interval is 0,
usecs_to_jiffies(0) yields 0, causing the delayed work
(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule
itself with zero delay. This creates a tight loop on system_percpu_wq
that allocates and transmits MRP test frames at maximum rate, exhausting
all system memory and causing a kernel panic via OOM deadlock.

The same zero-interval issue applies to br_mrp_start_in_test_parse()
for interconnect test frames.

Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both
IFLA_BRIDGE_MRP_START_TEST_INTERVAL and
IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the
netlink attribute parsing layer before the value ever reaches the
workqueue scheduling code. This is consistent with how other bridge
subsystems (br_fdb, br_mst) enforce range constraints on netlink
attributes.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s bridge MRP subsystem fails to validate a user‑supplied test interval received via netlink. When the interval is zero, the scheduled work loop reschedules itself with zero delay, initiating a nonstop allocation and transmission of MRP frames that consumes all system memory. The ensuing out‑of‑memory deadlock triggers a kernel panic, effectively denying system service. This flaw illustrates missing input validation (CWE‑606) and potential concurrent access issues (CWE‑667).

Affected Systems

The vulnerability affects all Linux kernel releases that include the bridge MRP code without the applied patch. Specific version ranges are not enumerated, so any kernel older than the new commit that introduces a minimum value of 1 for the attributes IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL is susceptible. Administrators should verify the kernel version or the presence of the updated NLA policy to determine exposure.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity denial‑of‑service vulnerability, while the EPSS score of less than 1% suggests a very low, but nonzero, probability of exploitation. The flaw is not listed in the CISA KEV catalog. An attacker needs to send a netlink request to a bridge interface, typically requiring privileged or local access. When successful, the out‑of‑memory condition can bring the system down, representing a significant denial‑of‑service scenario. The attack vector is resident and likely limited to privileged or local users unless the host exposes the bridge netlink interface to untrusted parties. Given the lack of public exploits and the low exploitation probability, the overall risk is considered medium‑high for unpatched systems that rely on MRP testing.

Generated by OpenCVE AI on May 20, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the patch rejecting zero test intervals.
  • If an update cannot be applied immediately, disable MRP test functionality on bridges or restrict netlink access so that only trusted users can modify the test interval.
  • Monitor for out‑of‑memory events or kernel panics and reboot affected nodes as a temporary response while a patch is deployed.

Generated by OpenCVE AI on May 20, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock. The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames. Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.
Title bridge: mrp: reject zero test interval to avoid OOM panic
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:21.817Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T14:16:11.617

Modified: 2026-05-20T18:11:34.427

Link: CVE-2026-31420

cve-icon Redhat

Severity :

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31420 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T19:30:37Z

Weaknesses