CVE-2025-39773
published 2025-09-11CVE-2025-39773: In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: fix soft lockup in br_multicast_query_expired()
When set multicast_query_interval to a large value, the local variable
'time' in br_multicast_send_query() may overflow. If the time is smaller
than jiffies, the timer will expire immediately, and then call mod_timer()
again, which creates a loop and may trigger the following soft lockup
issue.
watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]
CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)
Call Trace:
__netdev_alloc_skb+0x2e/0x3a0
br_ip6_multicast_alloc_query+0x212/0x1b70
__br_multicast_send_query+0x376/0xac0
br_multicast_send_query+0x299/0x510
br_multicast_query_expired.constprop.0+0x16d/0x1b0
call_timer_fn+0x3b/0x2a0
__run_timers+0x619/0x950
run_timer_softirq+0x11c/0x220
handle_softirqs+0x18e/0x560
__irq_exit_rcu+0x158/0x1a0
sysvec_apic_timer_interrupt+0x76/0x90
This issue can be reproduced with:
ip link add br0 type bridge
echo 1 > /sys/class/net/br0/bridge/multicast_querier
echo 0xffffffffffffffff >
/sys/class/net/br0/bridge/multicast_query_interval
ip link set dev br0 up
The multicast_startup_query_interval can also cause this issue. Similar to
the commit 99b40610956a ("net: bridge: mcast: add and enforce query
interval minimum"), add check for the query interval maximum to fix this
issue.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= d902eee43f1951b358d7347d9165c6af21cf7b1b < 34171b9e53bd1dc264f5556579f2b04f04435c73 | 34171b9e53bd1dc264f5556579f2b04f04435c73 |
| linux | linux | >= d902eee43f1951b358d7347d9165c6af21cf7b1b < 43e281fde5e76a866a4d10780c35023f16c0e432 | 43e281fde5e76a866a4d10780c35023f16c0e432 |
| linux | linux | >= d902eee43f1951b358d7347d9165c6af21cf7b1b < 96476b043efb86a94f2badd260f7f99c97bd5893 | 96476b043efb86a94f2badd260f7f99c97bd5893 |
| linux | linux | >= d902eee43f1951b358d7347d9165c6af21cf7b1b < bdb19cd0de739870bb3494c815138b9dc30875c4 | bdb19cd0de739870bb3494c815138b9dc30875c4 |
| linux | linux | >= d902eee43f1951b358d7347d9165c6af21cf7b1b < 5bf5fce8a0c2a70d063af778fdb5b27238174cdd | 5bf5fce8a0c2a70d063af778fdb5b27238174cdd |
| linux | linux | >= d902eee43f1951b358d7347d9165c6af21cf7b1b < d1547bf460baec718b3398365f8de33d25c5f36f | d1547bf460baec718b3398365f8de33d25c5f36f |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.5-1 | 6.16.5-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 2.6.34 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 6.13 < 6.16.4 | 6.16.4 |
| linux | linux_kernel | >= 6.2 < 6.6.103 | 6.6.103 |
| linux | linux_kernel | >= 6.7 < 6.12.44 | 6.12.44 |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0 | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-6.8 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM