CVE-2026-46086
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: use a stable FDB dst snapshot in RCU readers
Local FDB entries can be rewritten in place by fdb_delete_local(), which
updates f->dst to another port or to NULL while keeping the entry
alive. Several bridge RCU readers inspect f->dst, including
br_fdb_fillbuf() through the brforward_read() sysfs path.
These readers currently load f->dst multiple times and can therefore
observe inconsistent values across the check and later dereference.
In br_fdb_fillbuf(), this means a concurrent local-FDB update can change
f->dst after the NULL check and before the port_no dereference,
leading to a NULL-ptr-deref.
Fix this by taking a single READ_ONCE() snapshot of f->dst in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place f->dst updates in fdb_delete_local()
with WRITE_ONCE() so the readers and writer use matching access patterns.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < c502fa9f094cb03d1d1685c71e2105ab359bc2b8 | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < a6ae4511c07b91f597e461406c6330f0d4ff810e | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < 1406c4e0ed1eaf8a29801ab1163d00fb7ee4359a | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < 0b9e4bbfb7c949151e3acd44ed4aa33614d2e110 | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < 81af4137a30c4c2dc694dea8cacb180bd66000ef | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < 5424e678f9b304e148cf5dcc047cffc7a56a3bb5 | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < 9a2d9d4e657b23dc21f24cf139e3aeff0b61341f | affected |
| Linux | Linux | 960b589f86c74ce582922fcb996103271081f4de < df4601653201de21b487c3e7fffd464790cab808 | affected |
| Linux | Linux | 3.14 | affected |
| Linux | Linux | 0 < 3.14 | unaffected |
| Linux | Linux | 5.10.259 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.210 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.176 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.86 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.27 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.4 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c502fa9f094cb03d1d1685c71e2105ab359bc2b8
- https://git.kernel.org/stable/c/a6ae4511c07b91f597e461406c6330f0d4ff810e
- https://git.kernel.org/stable/c/1406c4e0ed1eaf8a29801ab1163d00fb7ee4359a
- https://git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110
- https://git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef
- https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5
- https://git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f
- https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.