Linux Kernel Bridge Component Use-After-Free Vulnerability Due to MST Port State Bypass

A use-after-free vulnerability has been identified in the Linux kernel's bridge component. This issue arises from a race condition between the learning process and the deletion of a port, particularly after its forwarding database (FDB) entries have been flushed. When a port is deleted, its state is set to disabled, halting any learning processes. However, with Multiple Spanning Tree (MST) mode enabled, this state can be bypassed, potentially allowing FDB learning to occur at inappropriate times, especially when the port is being removed. The vulnerability is exacerbated when VLAN filtering is disabled, as this allows the FDB learning issue to manifest. The problem has been addressed by introducing a check for the port's VLAN group, which is set to NULL during the deletion process, thereby preventing the state bypass. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing a race condition that allows FDB learning to occur at inappropriate times, potentially leading to memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree to address this vulnerability.