Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MRP processes incoming L2 Ethernet frames, so AV:A and PR:N better reflect adjacent-network exploitation without OS credentials; no confidentiality or integrity impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
In mrp_pdu_parse_vecattr(), vector attribute events are encoded three per byte and valen tracks the number of events left to process.
The parser decrements valen after processing the first and second events from each event byte, but not after processing the third one. When valen is exactly a multiple of three, the loop continues after the last valid event and consumes the next byte as a new event byte, applying a spurious event to the MRP applicant state.
Additionally, when valen is zero the parser unconditionally consumes attrlen bytes as FirstValue and advances the offset, even though per IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of zero and no FirstValue or Vector fields. This corrupts the offset for subsequent PDU parsing.
Also, when valen exceeds three the loop crosses byte boundaries but the attribute value is not incremented between the last event of one byte and the first event of the next. This causes the first event of the next byte to use the same attribute value as the third event rather than the next consecutive value.
Decrement valen after processing the third event, skip FirstValue consumption when valen is zero, and increment the attribute value at the end of each loop iteration.
AnalysisAI
Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser mrp_pdu_parse_vecattr() allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the mrp kernel module loaded with an active IEEE 802.1ak bridge interface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the `mrp` kernel module to be loaded and at least one network interface registered with the MRP subsystem (e.g., via MVRP on an 802.1Q bridge). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.5 (Medium) with AV:L/PR:L correctly identifies that exploitation is constrained to local, low-privileged access in the vendor's assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same Layer 2 broadcast domain as a Linux host running MVRP/MRP sends a crafted IEEE 802.1ak VectorAttribute PDU where valen is an exact multiple of three, or sends a LeaveAllEvent PDU with valen=0. The kernel MRP parser reads beyond the intended event boundary or corrupts the PDU parse offset, causing the MRP state machine to apply spurious events to registered attributes and potentially crashing or destabilizing the MRP subsystem. … |
| Remediation | Upgrade to a patched Linux kernel: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, depending on the distribution's supported stable branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39196
GHSA-5mw9-5f6m-q724