{"id":"CVE-2026-45913","summary":"net: bridge: mcast: always update mdb_n_entries for vlan contexts","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: always update mdb_n_entries for vlan contexts\n\nsyzbot triggered a warning[1] about the number of mdb entries in a context.\nIt turned out that there are multiple ways to trigger that warning today\n(some got added during the years), the root cause of the problem is that\nthe increase is done conditionally, and over the years these different\nconditions increased so there were new ways to trigger the warning, that is\nto do a decrease which wasn't paired with a previous increase.\n\nFor example one way to trigger it is with flush:\n $ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1\n $ ip l add dumdum up master br0 type dummy\n $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1\n $ ip link set dev br0 down\n $ ip link set dev br0 type bridge mcast_vlan_snooping 1\n   ^^^^ this will enable snooping, but will not update mdb_n_entries\n        because in __br_multicast_enable_port_ctx() we check !netif_running\n $ bridge mdb flush dev br0\n   ^^^ this will trigger the warning because it will delete the pg which\n       we added above, which will try to decrease mdb_n_entries\n\nFix the problem by removing the conditional increase and always keep the\ncount up-to-date while the vlan exists. In order to do that we have to\nfirst initialize it on port-vlan context creation, and then always increase\nor decrease the value regardless of mcast options. To keep the current\nbehaviour we have to enforce the mdb limit only if the context is port's or\nif the port-vlan's mcast snooping is enabled.\n\n[1]\n ------------[ cut here ]------------\n n == 0\n WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline], CPU#0: syz.4.4607/22043\n WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline], CPU#0: syz.4.4607/22043\n WARNING: net/bridge/br_multicast.c:718 at br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825, CPU#0: syz.4.4607/22043\n Modules linked in:\n CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026\n RIP: 0010:br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline]\n RIP: 0010:br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline]\n RIP: 0010:br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825\n Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 \u003c0f\u003e 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b\n RSP: 0018:ffffc9000c207220 EFLAGS: 00010293\n RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c\n R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800\n R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238\n FS:  00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0\n Call Trace:\n  \u003cTASK\u003e\n  br_mdb_flush_pgs net/bridge/br_mdb.c:1525 [inline]\n  br_mdb_flush net/bridge/br_mdb.c:1544 [inline]\n  br_mdb_del_bulk+0x5e2/0xb20 net/bridge/br_mdb.c:1561\n  rtnl_mdb_del+0x48a/0x640 net/core/rtnetlink.c:-1\n  rtnetlink_rcv_msg+0x77e/0xbe0 net/core/rtnetlink.c:6967\n  netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n  netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n  netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n  netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n  sock_sendmsg_nosec net/socket.c:727 [inline]\n  __sock_sendmsg net/socket.c:742 [inline]\n  ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n  ___sys_sendmsg+0x2a5/0x360 net/socke\n---truncated---","modified":"2026-06-26T11:56:38.300014290Z","published":"2026-05-27T12:17:28.607Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45913.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/45525fdfd4cb612d7b414dd5cfa1f43892a7cd71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/724a405ce0309676f1e993c173382b4c4a022beb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8b769e311a86bb9d15c5658ad283b86fc8f080a2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fae260fc84e1eae8f590c7907e53e8768df2d986"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45913.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45913"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b57e8d870d522d905720052e6fd9c3bc9bc5f6fb"},{"fixed":"d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce"},{"fixed":"724a405ce0309676f1e993c173382b4c4a022beb"},{"fixed":"fae260fc84e1eae8f590c7907e53e8768df2d986"},{"fixed":"45525fdfd4cb612d7b414dd5cfa1f43892a7cd71"},{"fixed":"8b769e311a86bb9d15c5658ad283b86fc8f080a2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45913.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.3.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45913.json"}}],"schema_version":"1.7.5"}