net: bridge: fix soft lockup in br_multicast_query_expired()
Summary
| CVE | CVE-2025-39773 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-09-11 17:15:43 UTC |
| Updated | 2026-05-12 13:17:10 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: <IRQ> __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-667
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected d902eee43f1951b358d7347d9165c6af21cf7b1b 34171b9e53bd1dc264f5556579f2b04f04435c73 git | Not specified |
| CNA | Linux | Linux | affected d902eee43f1951b358d7347d9165c6af21cf7b1b 43e281fde5e76a866a4d10780c35023f16c0e432 git | Not specified |
| CNA | Linux | Linux | affected d902eee43f1951b358d7347d9165c6af21cf7b1b 96476b043efb86a94f2badd260f7f99c97bd5893 git | Not specified |
| CNA | Linux | Linux | affected d902eee43f1951b358d7347d9165c6af21cf7b1b bdb19cd0de739870bb3494c815138b9dc30875c4 git | Not specified |
| CNA | Linux | Linux | affected d902eee43f1951b358d7347d9165c6af21cf7b1b 5bf5fce8a0c2a70d063af778fdb5b27238174cdd git | Not specified |
| CNA | Linux | Linux | affected d902eee43f1951b358d7347d9165c6af21cf7b1b d1547bf460baec718b3398365f8de33d25c5f36f git | Not specified |
| CNA | Linux | Linux | affected 2.6.34 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.34 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.190 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.149 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.103 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.44 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.16.4 6.16.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.17 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC CN 4100 | affected V5.0 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/5bf5fce8a0c2a70d063af778fdb5b27238174cdd | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2025/10/msg00008.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Third Party Advisory |
| cert-portal.siemens.com/productcert/html/ssa-082556.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/bdb19cd0de739870bb3494c815138b9dc30875c4 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/d1547bf460baec718b3398365f8de33d25c5f36f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-032379.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/34171b9e53bd1dc264f5556579f2b04f04435c73 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/43e281fde5e76a866a4d10780c35023f16c0e432 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/96476b043efb86a94f2badd260f7f99c97bd5893 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.