CVE-2026-46086
Description
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: use a stable FDB dst snapshot in RCU readers
Local FDB entries can be rewritten in place by fdb_delete_local(), which updates f->dst to another port or to NULL while keeping the entry alive. Several bridge RCU readers inspect f->dst, including br_fdb_fillbuf() through the brforward_read() sysfs path.
These readers currently load f->dst multiple times and can therefore observe inconsistent values across the check and later dereference. In br_fdb_fillbuf(), this means a concurrent local-FDB update can change f->dst after the NULL check and before the port_no dereference, leading to a NULL-ptr-deref.
Fix this by taking a single READ_ONCE() snapshot of f->dst in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place f->dst updates in fdb_delete_local() with WRITE_ONCE() so the readers and writer use matching access patterns.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110nvd
- git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5nvd
- git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000efnvd
- git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341fnvd
- git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808nvd
News mentions
0No linked articles in our index yet.