CVE-2026-45913

Source
https://cve.org/CVERecord?id=CVE-2026-45913
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45913.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45913
Downstream
Published
2026-05-27T12:17:28.607Z
Modified
2026-06-26T11:56:38.300014290Z
Summary
net: bridge: mcast: always update mdb_n_entries for vlan contexts
Details

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: mcast: always update mdbnentries for vlan contexts

syzbot triggered a warning[1] about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today (some got added during the years), the root cause of the problem is that the increase is done conditionally, and over the years these different conditions increased so there were new ways to trigger the warning, that is to do a decrease which wasn't paired with a previous increase.

For example one way to trigger it is with flush: $ ip l add br0 up type bridge vlanfiltering 1 mcastsnooping 1 $ ip l add dumdum up master br0 type dummy $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1 $ ip link set dev br0 down $ ip link set dev br0 type bridge mcastvlansnooping 1 ^^^^ this will enable snooping, but will not update mdbnentries because in _brmulticastenableportctx() we check !netifrunning $ bridge mdb flush dev br0 ^^^ this will trigger the warning because it will delete the pg which we added above, which will try to decrease mdbnentries

Fix the problem by removing the conditional increase and always keep the count up-to-date while the vlan exists. In order to do that we have to first initialize it on port-vlan context creation, and then always increase or decrease the value regardless of mcast options. To keep the current behaviour we have to enforce the mdb limit only if the context is port's or if the port-vlan's mcast snooping is enabled.

[1] ------------[ cut here ]------------ n == 0 WARNING: net/bridge/brmulticast.c:718 at brmulticastportngroupsdecone net/bridge/brmulticast.c:718 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/brmulticast.c:718 at brmulticastportngroupsdec net/bridge/brmulticast.c:771 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/brmulticast.c:718 at brmulticastdelpg+0x1bbe/0x1e20 net/bridge/brmulticast.c:825, CPU#0: syz.4.4607/22043 Modules linked in: CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:brmulticastportngroupsdecone net/bridge/brmulticast.c:718 [inline] RIP: 0010:brmulticastportngroupsdec net/bridge/brmulticast.c:771 [inline] RIP: 0010:brmulticastdelpg+0x1bbe/0x1e20 net/bridge/brmulticast.c:825 Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 <0f> 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b RSP: 0018:ffffc9000c207220 EFLAGS: 00010293 RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800 R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238 FS: 00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0 Call Trace: <TASK> brmdbflushpgs net/bridge/brmdb.c:1525 [inline] brmdbflush net/bridge/brmdb.c:1544 [inline] brmdbdelbulk+0x5e2/0xb20 net/bridge/brmdb.c:1561 rtnlmdbdel+0x48a/0x640 net/core/rtnetlink.c:-1 rtnetlinkrcvmsg+0x77e/0xbe0 net/core/rtnetlink.c:6967 netlinkrcvskb+0x232/0x4b0 net/netlink/afnetlink.c:2550 netlinkunicastkernel net/netlink/afnetlink.c:1318 [inline] netlinkunicast+0x80f/0x9b0 net/netlink/afnetlink.c:1344 netlinksendmsg+0x813/0xb40 net/netlink/afnetlink.c:1894 socksendmsgnosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 __syssendmsg+0x2a5/0x360 net/socke ---truncated---

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45913.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b57e8d870d522d905720052e6fd9c3bc9bc5f6fb
Fixed
d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce
Fixed
724a405ce0309676f1e993c173382b4c4a022beb
Fixed
fae260fc84e1eae8f590c7907e53e8768df2d986
Fixed
45525fdfd4cb612d7b414dd5cfa1f43892a7cd71
Fixed
8b769e311a86bb9d15c5658ad283b86fc8f080a2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45913.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45913.json"