{"api_version":"1","generated_at":"2026-05-06T20:29:31+00:00","cve":"CVE-2026-43100","urls":{"html":"https://cve.report/CVE-2026-43100","api":"https://cve.report/api/cve/CVE-2026-43100.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43100","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43100"},"summary":{"title":"bridge: guard local VLAN-0 FDB helpers against NULL vlan group","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: guard local VLAN-0 FDB helpers against NULL vlan group\n\nWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and\nnbp_vlan_group() return NULL (br_private.h stub definitions). The\nBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and\nreaches br_fdb_delete_locals_per_vlan_port() and\nbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer\nis dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).\n\nThe observed crash is in the delete path, triggered when creating a\nbridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0\nvia RTM_NEWLINK. The insert helper has the same bug pattern.\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]\n  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310\n  Call Trace:\n   br_fdb_toggle_local_vlan_0+0x452/0x4c0\n   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276\n   br_boolopt_toggle net/bridge/br.c:313\n   br_boolopt_multi_toggle net/bridge/br.c:364\n   br_changelink net/bridge/br_netlink.c:1542\n   br_dev_newlink net/bridge/br_netlink.c:1575\n\nAdd NULL checks for the vlan group pointer in both helpers, returning\nearly when there are no VLANs to iterate. This matches the existing\npattern used by other bridge FDB functions such as br_fdb_add() and\nbr_fdb_delete().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 10:16:23","updated_at":"2026-05-06 13:07:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a","name":"https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b","name":"https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a","name":"https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43100","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43100","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 21446c06b441b9c993870efae71aef4e9aa72ec7 fb612d436ff0317659e45a91c25fd7d9516f5b1b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 21446c06b441b9c993870efae71aef4e9aa72ec7 ddf0ec2d600e7dad62b89692749534d7900a732a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 21446c06b441b9c993870efae71aef4e9aa72ec7 1979645e1842cb7017525a61a0e0e0beb924d02a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.24 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.14 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/bridge/br_fdb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fb612d436ff0317659e45a91c25fd7d9516f5b1b","status":"affected","version":"21446c06b441b9c993870efae71aef4e9aa72ec7","versionType":"git"},{"lessThan":"ddf0ec2d600e7dad62b89692749534d7900a732a","status":"affected","version":"21446c06b441b9c993870efae71aef4e9aa72ec7","versionType":"git"},{"lessThan":"1979645e1842cb7017525a61a0e0e0beb924d02a","status":"affected","version":"21446c06b441b9c993870efae71aef4e9aa72ec7","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/bridge/br_fdb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.18"},{"lessThan":"6.18","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.24","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.14","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.24","versionStartIncluding":"6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.14","versionStartIncluding":"6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.18","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: guard local VLAN-0 FDB helpers against NULL vlan group\n\nWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and\nnbp_vlan_group() return NULL (br_private.h stub definitions). The\nBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and\nreaches br_fdb_delete_locals_per_vlan_port() and\nbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer\nis dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).\n\nThe observed crash is in the delete path, triggered when creating a\nbridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0\nvia RTM_NEWLINK. The insert helper has the same bug pattern.\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]\n  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310\n  Call Trace:\n   br_fdb_toggle_local_vlan_0+0x452/0x4c0\n   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276\n   br_boolopt_toggle net/bridge/br.c:313\n   br_boolopt_multi_toggle net/bridge/br.c:364\n   br_changelink net/bridge/br_netlink.c:1542\n   br_dev_newlink net/bridge/br_netlink.c:1575\n\nAdd NULL checks for the vlan group pointer in both helpers, returning\nearly when there are no VLANs to iterate. This matches the existing\npattern used by other bridge FDB functions such as br_fdb_add() and\nbr_fdb_delete()."}],"providerMetadata":{"dateUpdated":"2026-05-06T07:40:30.309Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b"},{"url":"https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a"},{"url":"https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a"}],"title":"bridge: guard local VLAN-0 FDB helpers against NULL vlan group","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43100","datePublished":"2026-05-06T07:40:30.309Z","dateReserved":"2026-05-01T14:12:55.984Z","dateUpdated":"2026-05-06T07:40:30.309Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 10:16:23","lastModifiedDate":"2026-05-06 13:07:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43100","Ordinal":"1","Title":"bridge: guard local VLAN-0 FDB helpers against NULL vlan group","CVE":"CVE-2026-43100","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43100","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: guard local VLAN-0 FDB helpers against NULL vlan group\n\nWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and\nnbp_vlan_group() return NULL (br_private.h stub definitions). The\nBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and\nreaches br_fdb_delete_locals_per_vlan_port() and\nbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer\nis dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).\n\nThe observed crash is in the delete path, triggered when creating a\nbridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0\nvia RTM_NEWLINK. The insert helper has the same bug pattern.\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]\n  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310\n  Call Trace:\n   br_fdb_toggle_local_vlan_0+0x452/0x4c0\n   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276\n   br_boolopt_toggle net/bridge/br.c:313\n   br_boolopt_multi_toggle net/bridge/br.c:364\n   br_changelink net/bridge/br_netlink.c:1542\n   br_dev_newlink net/bridge/br_netlink.c:1575\n\nAdd NULL checks for the vlan group pointer in both helpers, returning\nearly when there are no VLANs to iterate. This matches the existing\npattern used by other bridge FDB functions such as br_fdb_add() and\nbr_fdb_delete().","Type":"Description","Title":"bridge: guard local VLAN-0 FDB helpers against NULL vlan group"}]}}}