net: bridge: use a stable FDB dst snapshot in RCU readers
Summary
| CVE | CVE-2026-46086 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 14:17:30 UTC |
| Updated | 2026-05-27 14:48:03 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: bridge: use a stable FDB dst snapshot in RCU readers Local FDB entries can be rewritten in place by `fdb_delete_local()`, which updates `f->dst` to another port or to `NULL` while keeping the entry alive. Several bridge RCU readers inspect `f->dst`, including `br_fdb_fillbuf()` through the `brforward_read()` sysfs path. These readers currently load `f->dst` multiple times and can therefore observe inconsistent values across the check and later dereference. In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change `f->dst` after the NULL check and before the `port_no` dereference, leading to a NULL-ptr-deref. Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()` with `WRITE_ONCE()` so the readers and writer use matching access patterns. |
Risk And Classification
EPSS: 0.000180000 probability, percentile 0.051570000 (date 2026-05-30)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 960b589f86c74ce582922fcb996103271081f4de 0b9e4bbfb7c949151e3acd44ed4aa33614d2e110 git | Not specified |
| CNA | Linux | Linux | affected 960b589f86c74ce582922fcb996103271081f4de 81af4137a30c4c2dc694dea8cacb180bd66000ef git | Not specified |
| CNA | Linux | Linux | affected 960b589f86c74ce582922fcb996103271081f4de 5424e678f9b304e148cf5dcc047cffc7a56a3bb5 git | Not specified |
| CNA | Linux | Linux | affected 960b589f86c74ce582922fcb996103271081f4de 9a2d9d4e657b23dc21f24cf139e3aeff0b61341f git | Not specified |
| CNA | Linux | Linux | affected 960b589f86c74ce582922fcb996103271081f4de df4601653201de21b487c3e7fffd464790cab808 git | Not specified |
| CNA | Linux | Linux | affected 3.14 | Not specified |
| CNA | Linux | Linux | unaffected 3.14 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.86 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.27 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.4 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.