CVE-2026-43100 (GCVE-0-2026-43100)

Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-05-06 07:40
VLAI?
Title
bridge: guard local VLAN-0 FDB helpers against NULL vlan group
Summary
In the Linux kernel, the following vulnerability has been resolved: bridge: guard local VLAN-0 FDB helpers against NULL vlan group When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and reaches br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). The observed crash is in the delete path, triggered when creating a bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575 Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br_fdb_add() and br_fdb_delete().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 21446c06b441b9c993870efae71aef4e9aa72ec7 , < fb612d436ff0317659e45a91c25fd7d9516f5b1b (git)
Affected: 21446c06b441b9c993870efae71aef4e9aa72ec7 , < ddf0ec2d600e7dad62b89692749534d7900a732a (git)
Affected: 21446c06b441b9c993870efae71aef4e9aa72ec7 , < 1979645e1842cb7017525a61a0e0e0beb924d02a (git)
Create a notification for this product.
    Linux Linux Affected: 6.18
Unaffected: 0 , < 6.18 (semver)
Unaffected: 6.18.24 , ≤ 6.18.* (semver)
Unaffected: 6.19.14 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_fdb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb612d436ff0317659e45a91c25fd7d9516f5b1b",
              "status": "affected",
              "version": "21446c06b441b9c993870efae71aef4e9aa72ec7",
              "versionType": "git"
            },
            {
              "lessThan": "ddf0ec2d600e7dad62b89692749534d7900a732a",
              "status": "affected",
              "version": "21446c06b441b9c993870efae71aef4e9aa72ec7",
              "versionType": "git"
            },
            {
              "lessThan": "1979645e1842cb7017525a61a0e0e0beb924d02a",
              "status": "affected",
              "version": "21446c06b441b9c993870efae71aef4e9aa72ec7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_fdb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.18"
            },
            {
              "lessThan": "6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.24",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: guard local VLAN-0 FDB helpers against NULL vlan group\n\nWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and\nnbp_vlan_group() return NULL (br_private.h stub definitions). The\nBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and\nreaches br_fdb_delete_locals_per_vlan_port() and\nbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer\nis dereferenced via list_for_each_entry(v, \u0026vg-\u003evlan_list, vlist).\n\nThe observed crash is in the delete path, triggered when creating a\nbridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0\nvia RTM_NEWLINK. The insert helper has the same bug pattern.\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]\n  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310\n  Call Trace:\n   br_fdb_toggle_local_vlan_0+0x452/0x4c0\n   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276\n   br_boolopt_toggle net/bridge/br.c:313\n   br_boolopt_multi_toggle net/bridge/br.c:364\n   br_changelink net/bridge/br_netlink.c:1542\n   br_dev_newlink net/bridge/br_netlink.c:1575\n\nAdd NULL checks for the vlan group pointer in both helpers, returning\nearly when there are no VLANs to iterate. This matches the existing\npattern used by other bridge FDB functions such as br_fdb_add() and\nbr_fdb_delete()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-06T07:40:30.309Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a"
        }
      ],
      "title": "bridge: guard local VLAN-0 FDB helpers against NULL vlan group",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43100",
    "datePublished": "2026-05-06T07:40:30.309Z",
    "dateReserved": "2026-05-01T14:12:55.984Z",
    "dateUpdated": "2026-05-06T07:40:30.309Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43100",
      "date": "2026-05-09",
      "epss": "0.00017",
      "percentile": "0.04127"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43100\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T10:16:23.523\",\"lastModified\":\"2026-05-06T13:07:51.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbridge: guard local VLAN-0 FDB helpers against NULL vlan group\\n\\nWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and\\nnbp_vlan_group() return NULL (br_private.h stub definitions). The\\nBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and\\nreaches br_fdb_delete_locals_per_vlan_port() and\\nbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer\\nis dereferenced via list_for_each_entry(v, \u0026vg-\u003evlan_list, vlist).\\n\\nThe observed crash is in the delete path, triggered when creating a\\nbridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0\\nvia RTM_NEWLINK. The insert helper has the same bug pattern.\\n\\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI\\n  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]\\n  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310\\n  Call Trace:\\n   br_fdb_toggle_local_vlan_0+0x452/0x4c0\\n   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276\\n   br_boolopt_toggle net/bridge/br.c:313\\n   br_boolopt_multi_toggle net/bridge/br.c:364\\n   br_changelink net/bridge/br_netlink.c:1542\\n   br_dev_newlink net/bridge/br_netlink.c:1575\\n\\nAdd NULL checks for the vlan group pointer in both helpers, returning\\nearly when there are no VLANs to iterate. This matches the existing\\npattern used by other bridge FDB functions such as br_fdb_add() and\\nbr_fdb_delete().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.