CVE-2026-45913
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel Bridge Multicast

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: always update mdb_n_entries for vlan contexts syzbot triggered a warning[1] about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today (some got added during the years), the root cause of the problem is that the increase is done conditionally, and over the years these different conditions increased so there were new ways to trigger the warning, that is to do a decrease which wasn't paired with a previous increase. For example one way to trigger it is with flush: $ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1 $ ip l add dumdum up master br0 type dummy $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1 $ ip link set dev br0 down $ ip link set dev br0 type bridge mcast_vlan_snooping 1 ^^^^ this will enable snooping, but will not update mdb_n_entries because in __br_multicast_enable_port_ctx() we check !netif_running $ bridge mdb flush dev br0 ^^^ this will trigger the warning because it will delete the pg which we added above, which will try to decrease mdb_n_entries Fix the problem by removing the conditional increase and always keep the count up-to-date while the vlan exists. In order to do that we have to first initialize it on port-vlan context creation, and then always increase or decrease the value regardless of mcast options. To keep the current behaviour we have to enforce the mdb limit only if the context is port's or if the port-vlan's mcast snooping is enabled. [1] ------------[ cut here ]------------ n == 0 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825, CPU#0: syz.4.4607/22043 Modules linked in: CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline] RIP: 0010:br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline] RIP: 0010:br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825 Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 <0f> 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b RSP: 0018:ffffc9000c207220 EFLAGS: 00010293 RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800 R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238 FS: 00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0 Call Trace: <TASK> br_mdb_flush_pgs net/bridge/br_mdb.c:1525 [inline] br_mdb_flush net/bridge/br_mdb.c:1544 [inline] br_mdb_del_bulk+0x5e2/0xb20 net/bridge/br_mdb.c:1561 rtnl_mdb_del+0x48a/0x640 net/core/rtnetlink.c:-1 rtnetlink_rcv_msg+0x77e/0xbe0 net/core/rtnetlink.c:6967 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socke ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45913
EUVD
EUVD-2026-32379
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network bridge multicast (mcast) code. The issue is related to the tracking of multicast database (mdb) entries for VLAN contexts. Specifically, the count of mdb entries (mdb_n_entries) was only conditionally increased, which over time led to situations where decreases in the count were not properly paired with previous increases. This caused warnings and potential inconsistencies when managing multicast groups on bridge ports with VLAN filtering and multicast snooping enabled.

The root cause is that the code increased the mdb_n_entries count only under certain conditions, but decreases could happen without a matching increase, leading to incorrect counts and warnings triggered by syzbot. The fix involved always updating the mdb_n_entries count whenever a VLAN context exists, regardless of multicast options, ensuring the count remains accurate.

Impact Analysis

This vulnerability can cause incorrect tracking of multicast group entries on network bridge VLAN contexts, which may lead to warnings and potential instability in the network bridge multicast handling. While the description does not explicitly mention security exploits such as privilege escalation or denial of service, the incorrect counting could cause unexpected behavior or resource mismanagement in network bridge multicast operations.

In practical terms, this could affect network performance or reliability on systems using Linux bridges with VLAN filtering and multicast snooping, potentially impacting network traffic management.

Detection Guidance

This vulnerability can be detected by observing warnings related to multicast database (mdb) entries in the Linux kernel bridge multicast code. Specifically, a warning triggered by syzbot about the number of mdb entries in a context indicates the issue.

A practical way to reproduce or detect the warning involves using the following commands to create a bridge, add a dummy interface, add a multicast group, and then flush the multicast database, which triggers the warning if the vulnerability is present:

  • $ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1
  • $ ip l add dumdum up master br0 type dummy
  • $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1
  • $ ip link set dev br0 down
  • $ ip link set dev br0 type bridge mcast_vlan_snooping 1
  • $ bridge mdb flush dev br0

The last command triggers the warning because it deletes the port group which tries to decrease mdb_n_entries incorrectly.

Mitigation Strategies

The vulnerability is fixed by ensuring that the multicast database entry count (mdb_n_entries) is always updated correctly regardless of multicast options or port state.

Immediate mitigation involves updating the Linux kernel to a version where this fix is applied, which removes the conditional increase and always keeps the count up-to-date while the VLAN exists.

Until the kernel is updated, avoid operations that trigger the inconsistent update of mdb_n_entries, such as flushing the multicast database on bridge VLAN contexts with multicast snooping enabled but the interface down.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart