Skip to main content

Linux Kernel CVE-2026-46086

| EUVDEUVD-2026-32469 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qcf5-mj4w-x99v
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires concurrent FDB deletion timing, warranting AC:H; PR:L reflects local unprivileged access needed; no C or I impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:29 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers

Local FDB entries can be rewritten in place by fdb_delete_local(), which updates f->dst to another port or to NULL while keeping the entry alive. Several bridge RCU readers inspect f->dst, including br_fdb_fillbuf() through the brforward_read() sysfs path.

These readers currently load f->dst multiple times and can therefore observe inconsistent values across the check and later dereference. In br_fdb_fillbuf(), this means a concurrent local-FDB update can change f->dst after the NULL check and before the port_no dereference, leading to a NULL-ptr-deref.

Fix this by taking a single READ_ONCE() snapshot of f->dst in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place f->dst updates in fdb_delete_local() with WRITE_ONCE() so the readers and writer use matching access patterns.

AnalysisAI

NULL pointer dereference in the Linux kernel bridge subsystem's FDB (Forwarding Database) RCU readers allows a local low-privileged user to crash the kernel via a sysfs read race. The vulnerability in br_fdb_fillbuf() - reached through the brforward_read() sysfs path - loads f->dst multiple times without synchronization, enabling a concurrent fdb_delete_local() call to nullify the pointer between the NULL check and the subsequent port_no dereference. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), but vendor patch commits are available across all active stable kernel branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's net/bridge subsystem, specifically in FDB management code identified by CPE cpe:2.3:o:linux:linux_kernel. The FDB maps MAC addresses to bridge ports; local entries can be rewritten in place by fdb_delete_local(), which modifies f->dst - the destination port pointer - to NULL or to another port while keeping the FDB entry alive. RCU (Read-Copy-Update) readers such as br_fdb_fillbuf() are expected to be lock-free, but they load f->dst across multiple instructions without using READ_ONCE(), violating the RCU memory model. The root cause class is CWE-476 (NULL Pointer Dereference): a write racing between the NULL guard and the port_no field access produces a kernel NULL dereference. The fix applies READ_ONCE() to snapshot f->dst atomically in each affected reader and pairs it with WRITE_ONCE() in fdb_delete_local() to enforce correct access ordering across writer and readers.

RemediationAI

Upgrade to a patched kernel version on the relevant stable branch: 6.12.86 or later, 6.6.140 or later (LTS), 7.0.4 or later, or 6.18.27 or later. Mainline is fixed in 7.1-rc1. Patch commits are available at https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808, https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5, and related stable-tree references provided by NVD. If immediate kernel patching is not feasible, restrict access to the sysfs bridge forwarding path (typically /sys/class/net/<bridge>/brforward) via filesystem ACLs or a MAC policy (SELinux/AppArmor) to prevent unprivileged users from triggering br_fdb_fillbuf() - note this only mitigates the sysfs vector and does not address other RCU readers fixed by the patch. Alternatively, removing bridge interfaces where not operationally required eliminates the code path entirely, though this has obvious network-function trade-offs.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy