Description
In the Linux kernel, the following vulnerability has been resolved:

bridge: guard local VLAN-0 FDB helpers against NULL vlan group

When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
nbp_vlan_group() return NULL (br_private.h stub definitions). The
BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
reaches br_fdb_delete_locals_per_vlan_port() and
br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).

The observed crash is in the delete path, triggered when creating a
bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
via RTM_NEWLINK. The insert helper has the same bug pattern.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
Call Trace:
br_fdb_toggle_local_vlan_0+0x452/0x4c0
br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
br_boolopt_toggle net/bridge/br.c:313
br_boolopt_multi_toggle net/bridge/br.c:364
br_changelink net/bridge/br_netlink.c:1542
br_dev_newlink net/bridge/br_netlink.c:1575

Add NULL checks for the vlan group pointer in both helpers, returning
early when there are no VLANs to iterate. This matches the existing
pattern used by other bridge FDB functions such as br_fdb_add() and
br_fdb_delete().
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null pointer dereference in the Linux kernel bridge driver that occurs when VLAN filtering is disabled and the BR_BOOLOPT_FDB_LOCAL_VLAN_0 option is toggled through netlink. The buggy code reaches functions that iterate over a vlan group pointer that is NULL, causing an immediate kernel fault and a system reboot. The impact is a denial of service, as any crash results in loss of service and potential system downtime. No evidence of privilege escalation or data compromise is provided in the description.

Affected Systems

All Linux kernel versions that ship with the bridge driver compiled without CONFIG_BRIDGE_VLAN_FILTERING and that do not include the patched NULL checks are affected. The vulnerability can be triggered on any distribution that uses the default kernel bridge implementation and that creates a bridge interface with the BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag via RTM_NEWLINK.

Risk and Exploitability

Because the crash requires only the ability to create or modify a bridge interface, privilege requirements are limited to local root or an attacker with the capability to run netlink commands. The vulnerability is not listed in CISA KEV catalog and EPSS data is unavailable, but the severity of a kernel crash is high. The exploit is straightforward once the required capability is achieved; thus the risk is considered high for systems that enable bridge functionalities without the VLAN filtering option.

Generated by OpenCVE AI on May 6, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the NULL guard for the VLAN group pointers in br_fdb_delete_locals_per_vlan_port and br_fdb_insert_locals_per_vlan_port (commit 1979645e1842).
  • If an upgrade is not possible, avoid enabling BR_BOOLOPT_FDB_LOCAL_VLAN_0 when creating or managing bridges; instead create the bridge without this option or use netlink commands that omit the flag.
  • Configure the kernel with CONFIG_BRIDGE_VLAN_FILTERING enabled to avoid the pathological code paths that lead to the null dereference.

Generated by OpenCVE AI on May 6, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bridge: guard local VLAN-0 FDB helpers against NULL vlan group When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and reaches br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). The observed crash is in the delete path, triggered when creating a bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575 Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br_fdb_add() and br_fdb_delete().
Title bridge: guard local VLAN-0 FDB helpers against NULL vlan group
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:30.309Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43100

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:23.523

Modified: 2026-05-06T10:16:23.523

Link: CVE-2026-43100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses

No weakness.