Description
In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers

Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
updates `f->dst` to another port or to `NULL` while keeping the entry
alive. Several bridge RCU readers inspect `f->dst`, including
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.

These readers currently load `f->dst` multiple times and can therefore
observe inconsistent values across the check and later dereference.
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
`f->dst` after the NULL check and before the `port_no` dereference,
leading to a NULL-ptr-deref.

Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Linux kernel networking bridge code allows concurrent modification of the forwarding database (FDB) entry destination pointer, causing readers to observe inconsistent values and eventually dereference a NULL pointer. The flaw results in a kernel crash, effectively denying service to local processes that trigger the sysfs "brforward_read" path. This vulnerability is a classic NULL pointer dereference, consistent with CWE-476.

Affected Systems

The flaw affects the Linux kernel in all releases that did not include the patch; the specific affected versions are not enumerated in the available data, but any kernel prior to the update that introduces the stable FDB snapshot will be vulnerable. All architectures using the bridge subsystem remain in scope.

Risk and Exploitability

The local attack vector requires a privileged user or a process with the ability to write to the sysfs bridge interface, making the vulnerability local but significant. The EPSS score is not provided, and the issue is not listed in CISA KEV. Nonetheless, the severity is high, as an attacker can reliably crash the kernel and disrupt system availability. Exploitation does not appear to require sophisticated conditions beyond local access; thus the risk remains elevated until the kernel is updated.

Generated by OpenCVE AI on May 27, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the FDB snapshot patch.
  • Reboot the system after upgrading the kernel to ensure the new code is loaded.
  • Limit access to the bridge sysfs interface (e.g., /sys/class/net/*/bridge) to privileged users only, and consider disabling unnecessary bridge operations until the patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: bridge: use a stable FDB dst snapshot in RCU readers Local FDB entries can be rewritten in place by `fdb_delete_local()`, which updates `f->dst` to another port or to `NULL` while keeping the entry alive. Several bridge RCU readers inspect `f->dst`, including `br_fdb_fillbuf()` through the `brforward_read()` sysfs path. These readers currently load `f->dst` multiple times and can therefore observe inconsistent values across the check and later dereference. In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change `f->dst` after the NULL check and before the `port_no` dereference, leading to a NULL-ptr-deref. Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()` with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Title net: bridge: use a stable FDB dst snapshot in RCU readers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:58:28.137Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46086

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:30.080

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:00:15Z

Weaknesses