Skip to main content

Linux Kernel CVE-2026-45913

| EUVDEUVD-2026-32379 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wpm7-9hcr-ppjf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with CAP_NET_ADMIN (mapped to PR:L) required; no confidentiality or integrity impact; high availability impact via kernel WARN_ON or panic.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 15:09 vuln.today
CVSS changed
Jun 24, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: mcast: always update mdb_n_entries for vlan contexts

syzbot triggered a warning[1] about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today (some got added during the years), the root cause of the problem is that the increase is done conditionally, and over the years these different conditions increased so there were new ways to trigger the warning, that is to do a decrease which wasn't paired with a previous increase.

For example one way to trigger it is with flush: $ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1 $ ip l add dumdum up master br0 type dummy $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1 $ ip link set dev br0 down $ ip link set dev br0 type bridge mcast_vlan_snooping 1 ^^^^ this will enable snooping, but will not update mdb_n_entries because in __br_multicast_enable_port_ctx() we check !netif_running $ bridge mdb flush dev br0 ^^^ this will trigger the warning because it will delete the pg which we added above, which will try to decrease mdb_n_entries

Fix the problem by removing the conditional increase and always keep the count up-to-date while the vlan exists. In order to do that we have to first initialize it on port-vlan context creation, and then always increase or decrease the value regardless of mcast options. To keep the current behaviour we have to enforce the mdb limit only if the context is port's or if the port-vlan's mcast snooping is enabled.

[1] ------------[ cut here ]------------ n == 0 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825, CPU#0: syz.4.4607/22043 Modules linked in: CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline] RIP: 0010:br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline] RIP: 0010:br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825 Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 <0f> 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b RSP: 0018:ffffc9000c207220 EFLAGS: 00010293 RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800 R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238 FS: 00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0 Call Trace: <TASK> br_mdb_flush_pgs net/bridge/br_mdb.c:1525 [inline] br_mdb_flush net/bridge/br_mdb.c:1544 [inline] br_mdb_del_bulk+0x5e2/0xb20 net/bridge/br_mdb.c:1561 rtnl_mdb_del+0x48a/0x640 net/core/rtnetlink.c:-1 rtnetlink_rcv_msg+0x77e/0xbe0 net/core/rtnetlink.c:6967 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socke ---truncated---

AnalysisAI

Bridge multicast MDB entry counter underflow in the Linux kernel's net/bridge/br_multicast.c allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with panic_on_warn=1 - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.

Technical ContextAI

The vulnerability resides in the Linux kernel bridge multicast subsystem in net/bridge/br_multicast.c, specifically in br_multicast_port_ngroups_dec_one (line 718), br_multicast_port_ngroups_dec (line 771), and br_multicast_del_pg (line 825). The mdb_n_entries counter tracks Multicast Database (MDB) entries for per-VLAN port contexts on a VLAN-filtering bridge. The root cause is a conditional increment in __br_multicast_enable_port_ctx() that gates the count update on netif_running - so if the bridge is in the DOWN state when mcast_vlan_snooping is enabled, the counter is not incremented for existing entries. Subsequently, a MDB flush unconditionally decrements the counter via br_multicast_del_pg, causing the counter to reach zero and underflow, which triggers the WARN_ON(n == 0) guard. The fix removes the conditional and always maintains the count while the VLAN context exists, enforcing MDB limits only when appropriate. No CWE is formally assigned, but the root cause class is a state-tracking inconsistency analogous to CWE-191 (Integer Underflow) caused by asymmetric counter management across code paths added over multiple kernel development cycles. CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* confirms this affects the kernel across all platform targets.

RemediationAI

Upgrade to a patched Linux kernel version appropriate to your stable series: 6.12.75, 6.6.128, 6.18.14, 6.19.4, or 7.0. Individual fix commits are available from the kernel stable tree at https://git.kernel.org/stable/c/45525fdfd4cb612d7b414dd5cfa1f43892a7cd71, https://git.kernel.org/stable/c/724a405ce0309676f1e993c173382b4c4a022beb, https://git.kernel.org/stable/c/8b769e311a86bb9d15c5658ad283b86fc8f080a2, https://git.kernel.org/stable/c/d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce, and https://git.kernel.org/stable/c/fae260fc84e1eae8f590c7907e53e8768df2d986. If kernel update is not immediately feasible, avoid enabling mcast_vlan_snooping on bridge interfaces while the bridge is in the DOWN state - ensure the bridge is UP before changing multicast VLAN snooping configuration. Disabling mcast_vlan_snooping entirely on bridges that do not require per-VLAN multicast snooping removes the vulnerable code path with no side effect other than loss of per-VLAN multicast group isolation. Monitoring dmesg for br_multicast_port_ngroups_dec_one kernel warnings can detect exposure on unpatched systems before a panic occurs.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy