CVE-2026-31420 Overview
A resource exhaustion vulnerability has been discovered in the Linux kernel's bridge MRP (Media Redundancy Protocol) subsystem. The functions br_mrp_start_test() and br_mrp_start_in_test() accept user-supplied interval values from netlink without proper validation. When an interval of zero is provided, the delayed work handlers reschedule themselves with zero delay, creating a tight loop that exhausts all system memory and triggers a kernel panic via OOM deadlock.
Critical Impact
This vulnerability allows local attackers to cause a complete denial of service by triggering an out-of-memory condition through malicious netlink messages, resulting in kernel panic and system crash.
Affected Products
- Linux kernel with bridge MRP subsystem enabled
- Systems utilizing MRP (Media Redundancy Protocol) for network bridging
- Industrial network configurations using MRP ring topologies
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-31420 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-31420
Vulnerability Analysis
The vulnerability exists in the Linux kernel's bridge MRP implementation, specifically within the test interval handling logic. When br_mrp_start_test() or br_mrp_start_in_test() receives a zero value for the test interval parameter via netlink, the call to usecs_to_jiffies(0) returns 0. This causes the delayed work handlers (br_mrp_test_work_expired and br_mrp_in_test_work_expired) to reschedule themselves immediately with no delay.
The result is a tight loop executing on system_percpu_wq that continuously allocates and transmits MRP test frames at maximum rate. This rapid allocation pattern quickly exhausts available system memory, leading to an OOM (Out-of-Memory) condition and subsequent kernel panic through deadlock.
The same zero-interval vulnerability affects br_mrp_start_in_test_parse() for interconnect test frames, expanding the attack surface.
Root Cause
The root cause is insufficient input validation at the netlink attribute parsing layer. The nla_policy tables for IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL did not enforce a minimum value constraint, allowing zero to be accepted as a valid interval. This violates the implicit assumption in the workqueue scheduling code that intervals will always be positive non-zero values.
Attack Vector
An attacker with local access and sufficient privileges to send netlink messages to the bridge subsystem can exploit this vulnerability. The attack involves sending a specially crafted netlink message containing a zero value for the MRP test interval attribute. Since the validation occurs only at the application layer and not at the netlink parsing layer, the zero value passes through to the workqueue scheduling code where it triggers the resource exhaustion loop.
The attack requires CAP_NET_ADMIN capability or root privileges to send the malicious netlink configuration messages to the bridge interface.
Detection Methods for CVE-2026-31420
Indicators of Compromise
- Unusual memory consumption patterns on systems running Linux bridge with MRP enabled
- High CPU utilization on system_percpu_wq workqueue threads
- Rapid increase in MRP test frame transmissions observed on bridge interfaces
- OOM killer activation logs in kernel messages
- System unresponsiveness preceding kernel panic
Detection Strategies
- Monitor kernel logs for OOM killer invocations related to bridge or network workqueue processes
- Implement netlink traffic monitoring to detect zero-interval MRP configuration attempts
- Track workqueue execution patterns for abnormal rescheduling rates
- Configure memory usage alerts for early detection of resource exhaustion attacks
Monitoring Recommendations
- Enable kernel memory debugging options during development and testing phases
- Implement real-time monitoring of bridge interface configuration changes via auditd
- Deploy SentinelOne Singularity platform for kernel-level behavioral anomaly detection
- Configure alerting for unusual netlink message patterns targeting bridge interfaces
How to Mitigate CVE-2026-31420
Immediate Actions Required
- Apply the kernel patches from the stable kernel tree immediately
- Restrict access to netlink bridge configuration to only essential administrative users
- Consider disabling MRP functionality if not actively required in production environments
- Implement network segmentation to limit local attacker access to affected systems
Patch Information
The vulnerability has been resolved in the Linux kernel stable tree. The fix implements NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL attributes. This ensures zero values are rejected at the netlink attribute parsing layer before reaching the workqueue scheduling code.
Patches are available from the kernel git repository:
This approach is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.
Workarounds
- Limit CAP_NET_ADMIN capabilities to trusted users only using Linux capabilities or SELinux policies
- Use network namespaces to isolate bridge configurations from untrusted processes
- Implement mandatory access controls (SELinux/AppArmor) to restrict netlink bridge operations
- Monitor and rate-limit netlink configuration messages at the system level
# Restrict netlink bridge capabilities using SELinux (example policy)
# Review and adapt based on your distribution and security requirements
semanage boolean --modify --on deny_ptrace
audit2allow -a -M bridge_mrp_restrict
semodule -i bridge_mrp_restrict.pp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
