{"id":"CVE-2026-31420","summary":"bridge: mrp: reject zero test interval to avoid OOM panic","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mrp: reject zero test interval to avoid OOM panic\n\nbr_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied\ninterval value from netlink without validation. When interval is 0,\nusecs_to_jiffies(0) yields 0, causing the delayed work\n(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule\nitself with zero delay. This creates a tight loop on system_percpu_wq\nthat allocates and transmits MRP test frames at maximum rate, exhausting\nall system memory and causing a kernel panic via OOM deadlock.\n\nThe same zero-interval issue applies to br_mrp_start_in_test_parse()\nfor interconnect test frames.\n\nUse NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both\nIFLA_BRIDGE_MRP_START_TEST_INTERVAL and\nIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the\nnetlink attribute parsing layer before the value ever reaches the\nworkqueue scheduling code. This is consistent with how other bridge\nsubsystems (br_fdb, br_mst) enforce range constraints on netlink\nattributes.","modified":"2026-06-18T03:57:29.332695255Z","published":"2026-04-13T13:40:24.594Z","related":["CGA-gfm9-5rqj-fhqv","SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","openSUSE-SU-2026:20826-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31420.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/630a15a31c2034b5b697f4aabc769b9d80d82446"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9bc352f716d1bebfe43354bce539ec2d0223b30"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8ec80430bfa520e7352155d6ac632e527cba7aa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa6e24963342de4370e3a3c9af41e38277b74cf3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31420.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31420"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"20f6a05ef63594feb0c6dfbd629da0448b43124d"},{"fixed":"630a15a31c2034b5b697f4aabc769b9d80d82446"},{"fixed":"e8ec80430bfa520e7352155d6ac632e527cba7aa"},{"fixed":"c9bc352f716d1bebfe43354bce539ec2d0223b30"},{"fixed":"fa6e24963342de4370e3a3c9af41e38277b74cf3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31420.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.8.0"},{"fixed":"6.12.92"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.34"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31420.json"}}],"schema_version":"1.7.5"}