CVE-2026-46086

Source
https://cve.org/CVERecord?id=CVE-2026-46086
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46086.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46086
Downstream
Related
Published
2026-05-27T12:58:28.137Z
Modified
2026-06-26T11:57:11.934842675Z
Summary
net: bridge: use a stable FDB dst snapshot in RCU readers
Details

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers

Local FDB entries can be rewritten in place by fdb_delete_local(), which updates f->dst to another port or to NULL while keeping the entry alive. Several bridge RCU readers inspect f->dst, including br_fdb_fillbuf() through the brforward_read() sysfs path.

These readers currently load f->dst multiple times and can therefore observe inconsistent values across the check and later dereference. In br_fdb_fillbuf(), this means a concurrent local-FDB update can change f->dst after the NULL check and before the port_no dereference, leading to a NULL-ptr-deref.

Fix this by taking a single READ_ONCE() snapshot of f->dst in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place f->dst updates in fdb_delete_local() with WRITE_ONCE() so the readers and writer use matching access patterns.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46086.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
960b589f86c74ce582922fcb996103271081f4de
Fixed
c502fa9f094cb03d1d1685c71e2105ab359bc2b8
Fixed
a6ae4511c07b91f597e461406c6330f0d4ff810e
Fixed
1406c4e0ed1eaf8a29801ab1163d00fb7ee4359a
Fixed
0b9e4bbfb7c949151e3acd44ed4aa33614d2e110
Fixed
81af4137a30c4c2dc694dea8cacb180bd66000ef
Fixed
5424e678f9b304e148cf5dcc047cffc7a56a3bb5
Fixed
9a2d9d4e657b23dc21f24cf139e3aeff0b61341f
Fixed
df4601653201de21b487c3e7fffd464790cab808

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46086.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.14.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46086.json"