CVE-2025-40297
Description
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: fix use-after-free due to MST port state bypass
syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot.
[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the Linux bridge occurs when MST-enabled ports bypass disabled state, allowing FDB learning during port deletion.
Root
Cause
The vulnerability is a use-after-free in the Linux kernel's bridge implementation. When Multiple Spanning Tree (MST) is enabled, the bridge's port state check can be bypassed, allowing FDB learning to continue even after a port has been administratively disabled and its FDB entries flushed. This race condition exists because MST does not properly check the port's state before allowing learning, and when VLAN filtering is disabled, the VLAN group is destroyed during port deletion, which stops learning—but learning can still happen if MST bypasses the state check.
Attack
Vector
An attacker on the local network can trigger this by causing FDB learning to occur on a bridge port that is being deleted. The attack requires that MST is enabled and VLAN filtering is disabled. The port deletion process flushes VLANs and clears the VLAN group pointer, but if MST bypasses the disabled state, a concurrent learning operation can occur after the VLAN group has been freed, leading to a use-after-free on the FDB entry.
Impact
Successful exploitation results in a use-after-free, which can lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context, depending on how the freed memory is reused.
Mitigation
The fix adds a check for the port's VLAN group pointer, which is set to NULL during port deletion. This prevents MST from bypassing the disabled state. Patches are available in the stable kernel updates; users should apply the latest updates to their Linux kernel. This issue was reported via syzkaller [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
5e19085b2a86a3b60ce334c1cbf3843183bc3991fbe1680cd8dca36978aa8Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8nvd
- git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048nvd
- git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4bnvd
- git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddbnvd
- git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198nvd
News mentions
0No linked articles in our index yet.