VYPR
Medium severity5.5NVD Advisory· Published Apr 13, 2026· Updated Jun 1, 2026

CVE-2026-31420

CVE-2026-31420

Description

In the Linux kernel, the following vulnerability has been resolved:

bridge: mrp: reject zero test interval to avoid OOM panic

br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock.

The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames.

Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

10
  • Linux/Kernel8 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.8,<6.19.12
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • (no CPE)
  • osv-coords
    Range: < 6.18.34-r0

Patches

Vulnerability mechanics

References

4

News mentions

1