HOMEVULNERABILITIESCVE-2026-43100
MEDIUM

CVE-2026-43100

Published: May 6, 2026· Updated: May 11, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

bridge: guard local VLAN-0 FDB helpers against NULL vlan group

When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and

nbp_vlan_group() return NULL (br_private.h stub definitions). The

BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and

reaches br_fdb_delete_locals_per_vlan_port() and

br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer

is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).

The observed crash is in the delete path, triggered when creating a

bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0

via RTM_NEWLINK. The insert helper has the same bug pattern.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI

KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]

RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310

Call Trace:

br_fdb_toggle_local_vlan_0+0x452/0x4c0

br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276

br_boolopt_toggle net/bridge/br.c:313

br_boolopt_multi_toggle net/bridge/br.c:364

br_changelink net/bridge/br_netlink.c:1542

br_dev_newlink net/bridge/br_netlink.c:1575

Add NULL checks for the vlan group pointer in both helpers, returning

early when there are no VLANs to iterate. This matches the existing

pattern used by other bridge FDB functions such as br_fdb_add() and

br_fdb_delete().

NVD Source

Technical Analysis

CVE-2026-43100 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (3)

Quick Facts

CVE IDCVE-2026-43100
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43100 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.