CVE-2026-31420
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Bridge MRP Causes OOM Panic

Publication date: 2026-04-13

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock. The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames. Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31420
EUVD
EUVD-2026-21944
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.8 (inc) to 6.19.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel rejects zero interval values for MRP test frames by applying the patch that uses NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL.

This prevents zero values from being accepted at the netlink attribute parsing layer, avoiding the scheduling of delayed work with zero delay that causes a tight loop and eventual out-of-memory panic.

If a patch is not yet applied, avoid setting the MRP test interval to zero and monitor for any unusual kernel panics related to memory exhaustion.

Executive Summary

This vulnerability exists in the Linux kernel's bridge module related to the Multiple Registration Protocol (MRP). Specifically, functions br_mrp_start_test() and br_mrp_start_in_test() accept a user-supplied interval value without validating it. If the interval is set to zero, the system schedules a delayed work task with zero delay, causing it to run in a tight loop.

This tight loop continuously allocates and transmits MRP test frames at maximum rate, which exhausts all system memory and leads to a kernel panic due to an out-of-memory (OOM) deadlock.

The vulnerability is fixed by enforcing a minimum interval value of 1 at the netlink attribute parsing layer, preventing zero values from reaching the workqueue scheduling code.

Impact Analysis

If exploited, this vulnerability can cause the Linux system to enter a kernel panic due to an out-of-memory deadlock. This happens because the system continuously schedules and executes MRP test frames without delay, consuming all available memory.

The impact includes system instability, crashes, and potential denial of service, which can disrupt normal operations and availability of services running on the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31420. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart