CVE-2026-31420

Source
https://cve.org/CVERecord?id=CVE-2026-31420
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31420.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31420
Downstream
Related
Published
2026-04-13T13:40:24.594Z
Modified
2026-06-18T03:57:29.332695255Z
Summary
bridge: mrp: reject zero test interval to avoid OOM panic
Details

In the Linux kernel, the following vulnerability has been resolved:

bridge: mrp: reject zero test interval to avoid OOM panic

brmrpstarttest() and brmrpstartintest() accept the user-supplied interval value from netlink without validation. When interval is 0, usecstojiffies(0) yields 0, causing the delayed work (brmrptestworkexpired / brmrpintestworkexpired) to reschedule itself with zero delay. This creates a tight loop on systempercpuwq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock.

The same zero-interval issue applies to brmrpstartintest_parse() for interconnect test frames.

Use NLAPOLICYMIN(NLAU32, 1) in the nlapolicy tables for both IFLABRIDGEMRPSTARTTESTINTERVAL and IFLABRIDGEMRPSTARTINTESTINTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (brfdb, br_mst) enforce range constraints on netlink attributes.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31420.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
20f6a05ef63594feb0c6dfbd629da0448b43124d
Fixed
630a15a31c2034b5b697f4aabc769b9d80d82446
Fixed
e8ec80430bfa520e7352155d6ac632e527cba7aa
Fixed
c9bc352f716d1bebfe43354bce539ec2d0223b30
Fixed
fa6e24963342de4370e3a3c9af41e38277b74cf3

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31420.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
6.12.92
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.34
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31420.json"