In the Linux kernel, the following vulnerability has been resolved:
bridge: mrp: reject zero test interval to avoid OOM panic
brmrpstarttest() and brmrpstartintest() accept the user-supplied interval value from netlink without validation. When interval is 0, usecstojiffies(0) yields 0, causing the delayed work (brmrptestworkexpired / brmrpintestworkexpired) to reschedule itself with zero delay. This creates a tight loop on systempercpuwq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock.
The same zero-interval issue applies to brmrpstartintest_parse() for interconnect test frames.
Use NLAPOLICYMIN(NLAU32, 1) in the nlapolicy tables for both IFLABRIDGEMRPSTARTTESTINTERVAL and IFLABRIDGEMRPSTARTINTESTINTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (brfdb, br_mst) enforce range constraints on netlink attributes.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31420.json"
}