CVE-2026-46086

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers

Local FDB entries can be rewritten in place by fdb_delete_local(), which updates f->dst to another port or to NULL while keeping the entry alive. Several bridge RCU readers inspect f->dst, including br_fdb_fillbuf() through the brforward_read() sysfs path.

These readers currently load f->dst multiple times and can therefore observe inconsistent values across the check and later dereference. In br_fdb_fillbuf(), this means a concurrent local-FDB update can change f->dst after the NULL check and before the port_no dereference, leading to a NULL-ptr-deref.

Fix this by taking a single READ_ONCE() snapshot of f->dst in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place f->dst updates in fdb_delete_local() with WRITE_ONCE() so the readers and writer use matching access patterns.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < c502fa9f094cb03d1d1685c71e2105ab359bc2b8affected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < a6ae4511c07b91f597e461406c6330f0d4ff810eaffected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < 1406c4e0ed1eaf8a29801ab1163d00fb7ee4359aaffected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < 0b9e4bbfb7c949151e3acd44ed4aa33614d2e110affected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < 81af4137a30c4c2dc694dea8cacb180bd66000efaffected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < 5424e678f9b304e148cf5dcc047cffc7a56a3bb5affected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < 9a2d9d4e657b23dc21f24cf139e3aeff0b61341faffected
LinuxLinux960b589f86c74ce582922fcb996103271081f4de < df4601653201de21b487c3e7fffd464790cab808affected
LinuxLinux3.14affected
LinuxLinux0 < 3.14unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.86 <= 6.12.*unaffected
LinuxLinux6.18.27 <= 6.18.*unaffected
LinuxLinux7.0.4 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References