CVE-2026-45913 Linux CVE debrief

Who should care

Linux system administrators running bridge networking with VLAN filtering and multicast snooping; kernel maintainers tracking stable branch updates; security teams monitoring for kernel warning anomalies

Technical summary

The Linux kernel's bridge multicast subsystem maintains per-port-VLAN context counters (mdb_n_entries) to track multicast group memberships. The vulnerability stems from asymmetric accounting: increments were gated by runtime conditions (netif_running, mcast snooping enablement) while decrements occurred unconditionally during cleanup paths. Specifically, __br_multicast_enable_port_ctx() skips counter updates when !netif_running, but br_mdb_flush() and br_multicast_del_pg() always decrement. This architectural inconsistency, introduced and exacerbated by incremental feature additions over years, permits the counter to underflow. The fix (commit 45525fdfd4cb) restructures the accounting to initialize counters at VLAN context creation and maintain them consistently, applying limit enforcement only when the context is port-level or has explicit VLAN snooping enabled.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from stable branches when available
• Monitor kernel logs for 'n == 0' warnings in br_multicast.c as potential exploitation indicators
• Review bridge multicast configurations for systems using VLAN filtering with mcast_snooping and mcast_vlan_snooping
• Consider disabling mcast_vlan_snooping on affected systems if multicast VLAN snooping is not required
• Audit systems for unexpected bridge state transitions that could trigger counter desynchronization

Evidence notes

Vulnerability confirmed via syzbot crash report with full stack trace showing warning triggered at net/bridge/br_multicast.c:718. Root cause analysis and fix commit messages describe the conditional increment logic flaw. Multiple stable kernel branches received backports.

Official resources