Description
In the Linux kernel, the following vulnerability has been resolved:

net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr

In mrp_pdu_parse_vecattr(), vector attribute events are encoded three
per byte and valen tracks the number of events left to process.

The parser decrements valen after processing the first and second events
from each event byte, but not after processing the third one. When valen
is exactly a multiple of three, the loop continues after the last valid
event and consumes the next byte as a new event byte, applying a
spurious event to the MRP applicant state.

Additionally, when valen is zero the parser unconditionally consumes
attrlen bytes as FirstValue and advances the offset, even though per
IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of
zero and no FirstValue or Vector fields. This corrupts the offset for
subsequent PDU parsing.

Also, when valen exceeds three the loop crosses byte boundaries but
the attribute value is not incremented between the last event of one
byte and the first event of the next. This causes the first event of
the next byte to use the same attribute value as the third event
rather than the next consecutive value.

Decrement valen after processing the third event, skip FirstValue
consumption when valen is zero, and increment the attribute value at
the end of each loop iteration.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug in mrp_pdu_parse_vecattr in the Linux kernel's net/802/mrp subsystem causes the parser to incorrectly decrement the event counter, consume erroneous packet bytes, and mishandle empty vector attributes. This results in spurious MRP events being applied and incorrect offset calculations for subsequent PDUs. The flaw represents a buffer manipulation weakness (CWE-1285) and could corrupt kernel data structures that control MRP state, potentially leading to memory corruption and a crash.

Affected Systems

All Linux kernel implementations that include the IEEE 802.1ak MRP code compiled into the kernel when MRP is enabled. This includes every standard Linux distribution running a native kernel, as no specific kernel version range is listed in the advisory. The issue exists in the net/802/mrp code compiled into the kernel when MRP is enabled.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. The EPSS score (< 1%) and absence from the CISA KEV catalog suggest a low probability of exploitation, but a malicious actor could target a host on a network segment that participates in MRP by sending malformed MRP PDUs. Based on the description, it is inferred that an attacker would need network proximity or control of a VLAN that exchanges MRP frames to trigger the defect and cause kernel.

Generated by OpenCVE AI on June 26, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the net attribute parsing fix (e.g., the commit referenced in the advisory).
  • If a kernel upgrade is not immediately feasible, disable MRP processing on affected interfaces to prevent malformed MRP PDUs from being parsed.
  • Restrict MRP traffic to trusted hosts by isolating or VLAN‑segmenting the network segments that carry MRP control frames, thereby limiting exposure to potential attackers.

Generated by OpenCVE AI on June 26, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-754

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-754

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr In mrp_pdu_parse_vecattr(), vector attribute events are encoded three per byte and valen tracks the number of events left to process. The parser decrements valen after processing the first and second events from each event byte, but not after processing the third one. When valen is exactly a multiple of three, the loop continues after the last valid event and consumes the next byte as a new event byte, applying a spurious event to the MRP applicant state. Additionally, when valen is zero the parser unconditionally consumes attrlen bytes as FirstValue and advances the offset, even though per IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of zero and no FirstValue or Vector fields. This corrupts the offset for subsequent PDU parsing. Also, when valen exceeds three the loop crosses byte boundaries but the attribute value is not incremented between the last event of one byte and the first event of the next. This causes the first event of the next byte to use the same attribute value as the third event rather than the next consecutive value. Decrement valen after processing the third event, skip FirstValue consumption when valen is zero, and increment the attribute value at the end of each loop iteration.
Title net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:39.108Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53245

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53245 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input