CVE-2026-53245 (GCVE-0-2026-53245)

Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI
Title
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
Summary
In the Linux kernel, the following vulnerability has been resolved: net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr In mrp_pdu_parse_vecattr(), vector attribute events are encoded three per byte and valen tracks the number of events left to process. The parser decrements valen after processing the first and second events from each event byte, but not after processing the third one. When valen is exactly a multiple of three, the loop continues after the last valid event and consumes the next byte as a new event byte, applying a spurious event to the MRP applicant state. Additionally, when valen is zero the parser unconditionally consumes attrlen bytes as FirstValue and advances the offset, even though per IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of zero and no FirstValue or Vector fields. This corrupts the offset for subsequent PDU parsing. Also, when valen exceeds three the loop crosses byte boundaries but the attribute value is not incremented between the last event of one byte and the first event of the next. This causes the first event of the next byte to use the same attribute value as the third event rather than the next consecutive value. Decrement valen after processing the third event, skip FirstValue consumption when valen is zero, and increment the attribute value at the end of each loop iteration.
Severity
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: febf018d22347b5df94066bca05d0c11a84e839d , < ae65714d96f68bb252eb20085320bdaacab36c00 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 36d259711872e3b2f6cd76a4d270c21931c0f35f (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < cc98717e591a963a616fdf15ecf48eefaf45d758 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 6d6e42e8e17f18d61327f8653479c5b5e161ae1d (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < fd9c3a47c670bec6b18f44454cea023f93b5adb3 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 42446ca0f3570663e87183c065e0b4def52dfba2 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 6eea6494e542a03cdf755a593b7d74f3f7c260fd (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 7561c7fbc694308da73300f036719e63e42bf0b4 (git)
Create a notification for this product.
Linux Linux Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 5.10.259 , ≤ 5.10.* (semver)
Unaffected: 5.15.210 , ≤ 5.15.* (semver)
Unaffected: 6.1.176 , ≤ 6.1.* (semver)
Unaffected: 6.6.143 , ≤ 6.6.* (semver)
Unaffected: 6.12.94 , ≤ 6.12.* (semver)
Unaffected: 6.18.36 , ≤ 6.18.* (semver)
Unaffected: 7.0.13 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/802/mrp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae65714d96f68bb252eb20085320bdaacab36c00",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "36d259711872e3b2f6cd76a4d270c21931c0f35f",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "cc98717e591a963a616fdf15ecf48eefaf45d758",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "6d6e42e8e17f18d61327f8653479c5b5e161ae1d",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "fd9c3a47c670bec6b18f44454cea023f93b5adb3",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "42446ca0f3570663e87183c065e0b4def52dfba2",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "6eea6494e542a03cdf755a593b7d74f3f7c260fd",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "7561c7fbc694308da73300f036719e63e42bf0b4",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/802/mrp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.259",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.259",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.210",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.176",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.143",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.94",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.36",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.13",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr\n\nIn mrp_pdu_parse_vecattr(), vector attribute events are encoded three\nper byte and valen tracks the number of events left to process.\n\nThe parser decrements valen after processing the first and second events\nfrom each event byte, but not after processing the third one. When valen\nis exactly a multiple of three, the loop continues after the last valid\nevent and consumes the next byte as a new event byte, applying a\nspurious event to the MRP applicant state.\n\nAdditionally, when valen is zero the parser unconditionally consumes\nattrlen bytes as FirstValue and advances the offset, even though per\nIEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of\nzero and no FirstValue or Vector fields. This corrupts the offset for\nsubsequent PDU parsing.\n\nAlso, when valen exceeds three the loop crosses byte boundaries but\nthe attribute value is not incremented between the last event of one\nbyte and the first event of the next. This causes the first event of\nthe next byte to use the same attribute value as the third event\nrather than the next consecutive value.\n\nDecrement valen after processing the third event, skip FirstValue\nconsumption when valen is zero, and increment the attribute value at\nthe end of each loop iteration."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T08:39:39.108Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae65714d96f68bb252eb20085320bdaacab36c00"
        },
        {
          "url": "https://git.kernel.org/stable/c/36d259711872e3b2f6cd76a4d270c21931c0f35f"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc98717e591a963a616fdf15ecf48eefaf45d758"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d6e42e8e17f18d61327f8653479c5b5e161ae1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd9c3a47c670bec6b18f44454cea023f93b5adb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/42446ca0f3570663e87183c065e0b4def52dfba2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6eea6494e542a03cdf755a593b7d74f3f7c260fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7561c7fbc694308da73300f036719e63e42bf0b4"
        }
      ],
      "title": "net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53245",
    "datePublished": "2026-06-25T08:39:39.108Z",
    "dateReserved": "2026-06-09T07:44:35.393Z",
    "dateUpdated": "2026-06-25T08:39:39.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53245",
      "date": "2026-07-01",
      "epss": "0.00184",
      "percentile": "0.0821"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53245\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:42.443\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr\\n\\nIn mrp_pdu_parse_vecattr(), vector attribute events are encoded three\\nper byte and valen tracks the number of events left to process.\\n\\nThe parser decrements valen after processing the first and second events\\nfrom each event byte, but not after processing the third one. When valen\\nis exactly a multiple of three, the loop continues after the last valid\\nevent and consumes the next byte as a new event byte, applying a\\nspurious event to the MRP applicant state.\\n\\nAdditionally, when valen is zero the parser unconditionally consumes\\nattrlen bytes as FirstValue and advances the offset, even though per\\nIEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of\\nzero and no FirstValue or Vector fields. This corrupts the offset for\\nsubsequent PDU parsing.\\n\\nAlso, when valen exceeds three the loop crosses byte boundaries but\\nthe attribute value is not incremented between the last event of one\\nbyte and the first event of the next. This causes the first event of\\nthe next byte to use the same attribute value as the third event\\nrather than the next consecutive value.\\n\\nDecrement valen after processing the third event, skip FirstValue\\nconsumption when valen is zero, and increment the attribute value at\\nthe end of each loop iteration.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/802/mrp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"ae65714d96f68bb252eb20085320bdaacab36c00\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"36d259711872e3b2f6cd76a4d270c21931c0f35f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"cc98717e591a963a616fdf15ecf48eefaf45d758\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"6d6e42e8e17f18d61327f8653479c5b5e161ae1d\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"fd9c3a47c670bec6b18f44454cea023f93b5adb3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"42446ca0f3570663e87183c065e0b4def52dfba2\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"6eea6494e542a03cdf755a593b7d74f3f7c260fd\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"febf018d22347b5df94066bca05d0c11a84e839d\",\"lessThan\":\"7561c7fbc694308da73300f036719e63e42bf0b4\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/802/mrp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"3.9\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"3.9\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.259\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.210\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.176\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.143\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.94\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/36d259711872e3b2f6cd76a4d270c21931c0f35f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/42446ca0f3570663e87183c065e0b4def52dfba2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6d6e42e8e17f18d61327f8653479c5b5e161ae1d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6eea6494e542a03cdf755a593b7d74f3f7c260fd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7561c7fbc694308da73300f036719e63e42bf0b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ae65714d96f68bb252eb20085320bdaacab36c00\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cc98717e591a963a616fdf15ecf48eefaf45d758\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fd9c3a47c670bec6b18f44454cea023f93b5adb3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…