CVE-2026-45913 Overview
CVE-2026-45913 is a Linux kernel vulnerability in the bridge multicast (mcast) subsystem. The flaw resides in how the bridge driver tracks mdb_n_entries for VLAN contexts. The kernel conditionally incremented the counter based on multicast options, but always decremented it on entry removal. This mismatch allowed an unpaired decrement, triggering a WARN_ON in br_multicast_port_ngroups_dec_one() at net/bridge/br_multicast.c:718. The issue was discovered by syzbot fuzzing the netlink-based bridge MDB interface.
Critical Impact
A local user with CAP_NET_ADMIN can trigger a kernel warning by sequencing bridge configuration and MDB flush operations, producing log noise and potential denial of service on systems configured with panic_on_warn.
Affected Products
- Linux kernel bridge driver (net/bridge/br_multicast.c)
- Distributions shipping affected stable kernel branches prior to the fix commits
- Systems with vlan_filtering and mcast_snooping enabled on bridge interfaces
Discovery Timeline
- 2026-05-27 - CVE-2026-45913 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45913
Vulnerability Analysis
The Linux bridge driver maintains a per-context counter, mdb_n_entries, to enforce limits on multicast database (MDB) entries. The counter is decremented unconditionally when an entry is removed via br_multicast_port_ngroups_dec_one(). The increment path in __br_multicast_enable_port_ctx(), however, was gated on conditions such as netif_running() and active multicast snooping options. Over time, additional conditions accumulated, opening paths where an entry could be added without an increment.
When the entry is later deleted, for example by bridge mdb flush, the decrement runs against a zero counter. This triggers a WARN() at line 718, with the message n == 0. The call chain proceeds through br_mdb_flush_pgs(), br_mdb_del_bulk(), and rtnl_mdb_del() under a netlink message handler.
Root Cause
The root cause is asymmetric accounting between increment and decrement operations on mdb_n_entries for VLAN contexts. The fix removes the conditional increment, initializes the counter on port-VLAN context creation, and keeps it always updated for the lifetime of the VLAN. The MDB limit is enforced only when the context belongs to a port or when port-VLAN multicast snooping is enabled, preserving prior behavior for limit checks.
Attack Vector
The vulnerability is reachable from local privileged context. An attacker with CAP_NET_ADMIN constructs a sequence that creates a bridge with vlan_filtering and mcast_snooping enabled, adds a permanent MDB entry, toggles the bridge state, enables mcast_vlan_snooping, and then flushes the MDB. The unpaired decrement triggers the kernel warning. The vulnerability is described in prose because no public exploit code accompanies the syzbot reproducer.
// Conceptual reproducer sequence (not exploit code)
// ip link add br0 up type bridge vlan_filtering 1 mcast_snooping 1
// ip link add dumdum up master br0 type dummy
// bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1
// ip link set dev br0 down
// ip link set dev br0 type bridge mcast_vlan_snooping 1
// bridge mdb flush dev br0 -> triggers WARN at br_multicast.c:718
Detection Methods for CVE-2026-45913
Indicators of Compromise
- Kernel log entries containing WARNING: net/bridge/br_multicast.c:718 and the message n == 0
- Stack traces referencing br_multicast_port_ngroups_dec_one, br_multicast_del_pg, and br_mdb_flush_pgs
- Unexpected bridge MDB flush operations following mcast_vlan_snooping toggles
Detection Strategies
- Monitor dmesg and /var/log/kern.log for the specific WARNING signature tied to br_multicast.c:718
- Audit netlink RTM_DELMDB messages from non-administrative processes
- Correlate bridge configuration changes with subsequent kernel warnings to identify reproduction attempts
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on br_multicast warning signatures
- Track use of the bridge and ip link utilities by non-root contexts and namespaced processes
- Review systems configured with panic_on_warn=1, as the warning will escalate to a kernel panic
How to Mitigate CVE-2026-45913
Immediate Actions Required
- Apply the upstream stable kernel commits referenced in the kernel.org advisories
- Restrict CAP_NET_ADMIN and unprivileged user namespaces where bridge configuration is not required
- Disable panic_on_warn on production hosts to avoid availability impact from the warning
Patch Information
The fix removes conditional accounting and always updates mdb_n_entries while a VLAN context exists, enforcing the MDB limit only for port contexts or VLANs with multicast snooping enabled. Stable backports are available in the following commits: Kernel Git Commit 45525fd, Kernel Git Commit 724a405, Kernel Git Commit 8b769e3, Kernel Git Commit d0fdad1, and Kernel Git Commit fae260f.
Workarounds
- Avoid toggling mcast_vlan_snooping on bridges with existing permanent MDB entries until patched
- Disable VLAN-aware multicast snooping (mcast_vlan_snooping 0) on affected bridges where feasible
- Constrain bridge management to trusted administrative accounts and prevent unprivileged user namespaces from creating bridge devices
# Disable VLAN-aware multicast snooping as a temporary workaround
ip link set dev br0 type bridge mcast_vlan_snooping 0
# Prevent unprivileged user namespace creation (Debian/Ubuntu)
sysctl -w kernel.unprivileged_userns_clone=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
