Skip to main content

Linux Kernel CVE-2026-31420

| EUVDEUVD-2026-21944 MEDIUM
Improper Locking (CWE-667)
2026-04-13 Linux GHSA-644j-vc34-vf98
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:23 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
5.5 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21944
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bridge: mrp: reject zero test interval to avoid OOM panic

br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock.

The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames.

Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.

AnalysisAI

Uncontrolled resource exhaustion in the Linux kernel bridge MRP subsystem allows a locally authenticated attacker to trigger a kernel OOM panic by supplying a zero-value test interval via netlink. The br_mrp_start_test() and br_mrp_start_in_test() functions lack input validation for the interval parameter; when set to zero, usecs_to_jiffies(0) yields 0, causing delayed work items on system_percpu_wq to reschedule themselves at maximum rate while continuously allocating and transmitting MRP test frames until all system memory is exhausted. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects low current exploitation probability, though the denial-of-service impact is severe - a full kernel panic.

Technical ContextAI

The affected subsystem is the Linux kernel's bridge Media Redundancy Protocol (MRP) implementation, introduced around Linux 5.8, which provides Ethernet ring redundancy per IEC 62439-2. The vulnerability stems from absent netlink attribute validation: IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL are accepted as raw NLA_U32 values with no minimum bound enforced in the nla_policy tables. The fix applies NLA_POLICY_MIN(NLA_U32, 1) at the netlink parsing layer, consistent with how br_fdb and br_mst enforce constraints - rejecting zero before the value reaches workqueue scheduling code. The CVE is classified CWE-667 (Improper Locking), though the root cause more precisely maps to missing input validation (CWE-20) compounded by uncontrolled resource consumption (CWE-400); the CWE-667 assignment warrants scrutiny as no locking defect is described. CPE data (cpe:2.3:a:linux:linux:*) confirms scope across the general Linux kernel tree. The tag 'Information Disclosure' applied to this CVE appears incorrect - the impact is exclusively availability (A:H) with no confidentiality or integrity component per CVSS.

RemediationAI

The primary fix is to upgrade to Linux kernel 6.19.12 or 7.0, which include the validated NLA_POLICY_MIN(NLA_U32, 1) constraint. For systems not yet on a patched release, the upstream fix commits are c9bc352f716d1bebfe43354bce539ec2d0223b30 (stable) and fa6e24963342de4370e3a3c9af41e38277b74cf3 (mainline), available at https://git.kernel.org/stable/c/c9bc352f716d1bebfe43354bce539ec2d0223b30 and https://git.kernel.org/stable/c/fa6e24963342de4370e3a3c9af41e38277b74cf3. As a compensating control where patching is not immediately possible, administrators can unload or restrict access to the bridge MRP kernel module (rmmod br_mrp if the feature is not operationally required), eliminating the attack surface entirely with no functional impact on non-MRP bridge configurations. Alternatively, restricting CAP_NET_ADMIN privileges (which are required to send the relevant netlink messages) to trusted accounts via capability bounding sets or seccomp profiles reduces exposure; note this may impact legitimate network management tooling. Downstream distribution patches should be tracked via vendor-specific channels (Red Hat, Debian, Ubuntu, SUSE) as the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-31420 is the primary reference.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31420 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy