Skip to main content

Linux Kernel CVE-2026-53245

| EUVDEUVD-2026-39196 MEDIUM
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5mw9-5f6m-q724
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

MRP processes incoming L2 Ethernet frames, so AV:A and PR:N better reflect adjacent-network exploitation without OS credentials; no confidentiality or integrity impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 22:23 vuln.today
CVSS changed
Jul 07, 2026 - 22:22 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr

In mrp_pdu_parse_vecattr(), vector attribute events are encoded three per byte and valen tracks the number of events left to process.

The parser decrements valen after processing the first and second events from each event byte, but not after processing the third one. When valen is exactly a multiple of three, the loop continues after the last valid event and consumes the next byte as a new event byte, applying a spurious event to the MRP applicant state.

Additionally, when valen is zero the parser unconditionally consumes attrlen bytes as FirstValue and advances the offset, even though per IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of zero and no FirstValue or Vector fields. This corrupts the offset for subsequent PDU parsing.

Also, when valen exceeds three the loop crosses byte boundaries but the attribute value is not incremented between the last event of one byte and the first event of the next. This causes the first event of the next byte to use the same attribute value as the third event rather than the next consecutive value.

Decrement valen after processing the third event, skip FirstValue consumption when valen is zero, and increment the attribute value at the end of each loop iteration.

AnalysisAI

Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser mrp_pdu_parse_vecattr() allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the mrp kernel module loaded with an active IEEE 802.1ak bridge interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position on same L2 segment as MRP-enabled Linux host
Delivery
Craft MRP VectorAttribute PDU with valen divisible by three or valen=0
Exploit
Send crafted L2 frame (EtherType 0x88F5/0x88F6) to target
Execution
Kernel mrp_pdu_parse_vecattr() reads beyond valid event boundary
Persist
MRP state machine receives spurious event / PDU offset corrupted
Impact
Denial of service via MRP subsystem crash or state corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires the `mrp` kernel module to be loaded and at least one network interface registered with the MRP subsystem (e.g., via MVRP on an 802.1Q bridge). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.5 (Medium) with AV:L/PR:L correctly identifies that exploitation is constrained to local, low-privileged access in the vendor's assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same Layer 2 broadcast domain as a Linux host running MVRP/MRP sends a crafted IEEE 802.1ak VectorAttribute PDU where valen is an exact multiple of three, or sends a LeaveAllEvent PDU with valen=0. The kernel MRP parser reads beyond the intended event boundary or corrupts the PDU parse offset, causing the MRP state machine to apply spurious events to registered attributes and potentially crashing or destabilizing the MRP subsystem. …
Remediation Upgrade to a patched Linux kernel: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, depending on the distribution's supported stable branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy