HIGH
bridge CFM PeerMEP Race
CVE-2026-23393
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called. The following is a simple race scenario: cpu0 cpu1 mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep still in hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // on freed peer_mep To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync() in both peer MEP deletion paths, so that subsequent queue_delayed_work() calls from br_cfm_frame_rx() are silently rejected. The cc_peer_disable() helper retains cancel_delayed_work_sync() because it is also used for the CC enable/disable toggle path where the work must remain re-schedulable.
02KernelScan AI Analysis
Risk summary
This race condition can cause kernel crashes or memory corruption when CFM peer MEPs are deleted while CFM frames are being processed. The vulnerability could lead to denial of service or potentially code execution in networking equipment that uses bridge CFM functionality.
Vulnerability analysis
Root Cause: A race condition exists in the bridge CFM (Connectivity Fault Management) peer MEP deletion code. When deleting a peer MEP, the code calls cancel_delayed_work_sync() to stop the ccm_rx_dwork delayed work, then removes the peer from the hash list and frees it with kfree_rcu(). However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock and can reschedule the same delayed work between the cancel and free operations, leading to use-after-free when the work executes on the freed peer_mep structure.
Attack Surface: This vulnerability affects systems using bridge CFM functionality, which is typically found in industrial networking and carrier-grade equipment. The race condition can be triggered through network frames that cause br_cfm_frame_rx() to execute concurrently with peer MEP deletion operations. No special privileges are required to send CFM frames that could trigger this condition.
Fix Mechanism: The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in both peer MEP deletion paths. This ensures that subsequent queue_delayed_work() calls from br_cfm_frame_rx() are silently rejected, preventing the work from being rescheduled after cancellation. The cc_peer_disable() helper retains cancel_delayed_work_sync() since it's used for enable/disable toggles where work rescheduling should remain possible.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.78 | e89dbd2736a4 |
| 6.18 | 6.18.20 | d8f35767bacb |
| 6.19 | 6.19.10 | 1fd81151f659 |
| mainline | 7.0 | 3715a0085531 |