Description
In the Linux kernel, the following vulnerability has been resolved:

bridge: mrp: reject zero test interval to avoid OOM panic

br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied
interval value from netlink without validation. When interval is 0,
usecs_to_jiffies(0) yields 0, causing the delayed work
(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule
itself with zero delay. This creates a tight loop on system_percpu_wq
that allocates and transmits MRP test frames at maximum rate, exhausting
all system memory and causing a kernel panic via OOM deadlock.

The same zero-interval issue applies to br_mrp_start_in_test_parse()
for interconnect test frames.

Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both
IFLA_BRIDGE_MRP_START_TEST_INTERVAL and
IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the
netlink attribute parsing layer before the value ever reaches the
workqueue scheduling code. This is consistent with how other bridge
subsystems (br_fdb, br_mst) enforce range constraints on netlink
attributes.
Published: 2026-04-13
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash)
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel’s bridge MRP subsystem fails to validate a user‑supplied test interval received via netlink. When the interval is zero, the scheduled work loop reschedules itself with zero delay, initiating a nonstop allocation and transmission of MRP frames that consumes all system memory. The ensuing out‑of‑memory deadlock triggers a kernel panic, effectively denying system service. This flaw illustrates missing input validation (CWE‑606).

Affected Systems

The vulnerability affects all Linux kernel releases that include the bridge MRP code without the applied patch. Specific version ranges are not enumerated, so any kernel older than the new commit that introduces a minimum value of 1 for the attributes IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL is susceptible. Administrators should verify the kernel version or the presence of the updated NLA policy to determine exposure.

Risk and Exploitability

No CVSS or EPSS scores are provided, and the flaw is not listed in the CISA KEV catalog. The exploit requires an attacker to send a netlink request to a bridge interface, which typically necessitates privileged or local access. The resulting out‑of‑memory condition can bring the system down, representing a high‑impact denial‑of‑service scenario. The attack vector is local or requires elevated privileges; remote exploitation would only be possible if the host exposes the bridge netlink interface to untrusted users. Given the lack of public exploits, the risk is assessed as high for affected systems that run unpatched kernels and rely on MRP testing.

Generated by OpenCVE AI on April 14, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the patch rejecting zero test intervals.
  • If an update cannot be applied immediately, disable MRP test functionality on bridges or restrict netlink access so that only trusted users can modify the test interval.
  • Monitor for out‑of‑memory events or kernel panics and reboot affected nodes as a temporary response while a patch is deployed.

Generated by OpenCVE AI on April 14, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock. The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames. Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.
Title bridge: mrp: reject zero test interval to avoid OOM panic
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T13:40:24.594Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:11.617

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-31420

cve-icon Redhat

Severity :

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31420 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:28Z

Weaknesses