Description
In the Linux kernel, the following vulnerability has been resolved:

net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr

In mrp_pdu_parse_vecattr(), vector attribute events are encoded three
per byte and valen tracks the number of events left to process.

The parser decrements valen after processing the first and second events
from each event byte, but not after processing the third one. When valen
is exactly a multiple of three, the loop continues after the last valid
event and consumes the next byte as a new event byte, applying a
spurious event to the MRP applicant state.

Additionally, when valen is zero the parser unconditionally consumes
attrlen bytes as FirstValue and advances the offset, even though per
IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of
zero and no FirstValue or Vector fields. This corrupts the offset for
subsequent PDU parsing.

Also, when valen exceeds three the loop crosses byte boundaries but
the attribute value is not incremented between the last event of one
byte and the first event of the next. This causes the first event of
the next byte to use the same attribute value as the third event
rather than the next consecutive value.

Decrement valen after processing the third event, skip FirstValue
consumption when valen is zero, and increment the attribute value at
the end of each loop iteration.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug in mrp_pdu_parse_vecattr causes the kernel to mis‑decrement the event counter and incorrectly consume bytes when the counter is a multiple of three. This results in spurious MRP events being applied to the applicant state, incorrect handling of empty attributes, and improper offset adjustment for subsequent PDUs. The mishandling can corrupt memory structures governing MRP state, potentially leading to data corruption or kernel crashes.

Affected Systems

All Linux kernel implementations that support IEEE 802.1ak MRP, including all standard Linux distributions running the native kernel. No specific kernel version range is provided in the advisory, so the vulnerability is presumed containing the unpatched net/802/mrp subsystem.

Risk and Exploitability

Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is uncertain. An attacker would need to generate or inject malformed MRP PDUs (typically on a local or shared network segment that initiates MRP) to trigger the parsing defect. If successful, the flaw could allow denial of service or kernel memory corruption. The CVSS score is not supplied, so severity cannot be quantified in the advisory.

Generated by OpenCVE AI on June 25, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the net/802/mrp vnode parsing fix (e.g., the commit referenced in the advisory).
  • If an immediate kernel upgrade is not possible, disable MRP processing on affected interfaces to prevent the kernel from interpreting malicious PDUs.
  • Ensure that network segments that carry MRP traffic are isolated or VLAN‑segmented so that only trusted hosts can send MRP control frames.

Generated by OpenCVE AI on June 25, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-754

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr In mrp_pdu_parse_vecattr(), vector attribute events are encoded three per byte and valen tracks the number of events left to process. The parser decrements valen after processing the first and second events from each event byte, but not after processing the third one. When valen is exactly a multiple of three, the loop continues after the last valid event and consumes the next byte as a new event byte, applying a spurious event to the MRP applicant state. Additionally, when valen is zero the parser unconditionally consumes attrlen bytes as FirstValue and advances the offset, even though per IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of zero and no FirstValue or Vector fields. This corrupts the offset for subsequent PDU parsing. Also, when valen exceeds three the loop crosses byte boundaries but the attribute value is not incremented between the last event of one byte and the first event of the next. This causes the first event of the next byte to use the same attribute value as the third event rather than the next consecutive value. Decrement valen after processing the third event, skip FirstValue consumption when valen is zero, and increment the attribute value at the end of each loop iteration.
Title net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:39.108Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53245

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:13Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow

  • CWE-754

    Improper Check for Unusual or Exceptional Conditions