5.5

CVE-2026-46086

net: bridge: use a stable FDB dst snapshot in RCU readers

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers

Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
updates `f->dst` to another port or to `NULL` while keeping the entry
alive. Several bridge RCU readers inspect `f->dst`, including
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.

These readers currently load `f->dst` multiple times and can therefore
observe inconsistent values across the check and later dereference.
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
`f->dst` after the NULL check and before the `port_no` dereference,
leading to a NULL-ptr-deref.

Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.14.1 < 5.10.259
LinuxLinux Kernel Version >= 5.11 < 5.15.210
LinuxLinux Kernel Version >= 5.16 < 6.1.176
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.86
LinuxLinux Kernel Version >= 6.13 < 6.18.27
LinuxLinux Kernel Version >= 6.19 < 7.0.4
LinuxLinux Kernel Version3.14 Update-
LinuxLinux Kernel Version3.14 Updaterc3
LinuxLinux Kernel Version3.14 Updaterc4
LinuxLinux Kernel Version3.14 Updaterc5
LinuxLinux Kernel Version3.14 Updaterc6
LinuxLinux Kernel Version3.14 Updaterc7
LinuxLinux Kernel Version3.14 Updaterc8
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110
Patch
https://git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef
Patch
https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5
Patch
https://git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f
Patch
https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808
Patch
https://git.kernel.org/stable/c/1406c4e0ed1eaf8a29801ab1163d00fb7ee4359a
Patch
https://git.kernel.org/stable/c/a6ae4511c07b91f597e461406c6330f0d4ff810e
Patch
https://git.kernel.org/stable/c/c502fa9f094cb03d1d1685c71e2105ab359bc2b8
Patch