CVE-2026-31420
Analyzed Analyzed - Analysis Complete

Use-After-Free in Linux Bridge MRP Causes OOM Panic

Vulnerability report for CVE-2026-31420, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-13

Last updated on: 2026-06-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock. The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames. Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-13
Last Modified
2026-06-01
Generated
2026-07-06
AI Q&A
2026-04-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.8 (inc) to 6.19.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel rejects zero interval values for MRP test frames by applying the patch that uses NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL.

This prevents zero values from being accepted at the netlink attribute parsing layer, avoiding the scheduling of delayed work with zero delay that causes a tight loop and eventual out-of-memory panic.

If a patch is not yet applied, avoid setting the MRP test interval to zero and monitor for any unusual kernel panics related to memory exhaustion.

Executive Summary

This vulnerability exists in the Linux kernel's bridge module related to the Multiple Registration Protocol (MRP). Specifically, functions br_mrp_start_test() and br_mrp_start_in_test() accept a user-supplied interval value without validating it. If the interval is set to zero, the system schedules a delayed work task with zero delay, causing it to run in a tight loop.

This tight loop continuously allocates and transmits MRP test frames at maximum rate, which exhausts all system memory and leads to a kernel panic due to an out-of-memory (OOM) deadlock.

The vulnerability is fixed by enforcing a minimum interval value of 1 at the netlink attribute parsing layer, preventing zero values from reaching the workqueue scheduling code.

Impact Analysis

If exploited, this vulnerability can cause the Linux system to enter a kernel panic due to an out-of-memory deadlock. This happens because the system continuously schedules and executes MRP test frames without delay, consuming all available memory.

The impact includes system instability, crashes, and potential denial of service, which can disrupt normal operations and availability of services running on the affected system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31420. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart