CVE-2026-43100

In the Linux kernel, the following vulnerability has been resolved:

bridge: guard local VLAN-0 FDB helpers against NULL vlan group

When CONFIG BRIDGE VLAN FILTERING is not set, br vlan group() and nbp vlan group() return NULL (br private.h stub definitions). The BR BOOLOPT FDB LOCAL VLAN 0 toggle code is compiled unconditionally and reaches br fdb delete locals per vlan port() and br fdb insert locals per vlan port(), where the NULL vlan group pointer is dereferenced via list for each entry(v, &vg->vlan list, vlist).

The observed crash is in the delete path, triggered when creating a bridge with IFLA BR MULTI BOOLOPT containing BR BOOLOPT FDB LOCAL VLAN 0 via RTM NEWLINK. The insert helper has the same bug pattern.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br fdb delete locals per vlan+0x2b9/0x310 Call Trace: br fdb toggle local vlan 0+0x452/0x4c0 br toggle fdb local vlan 0+0x31/0x80 net/bridge/br.c:276 br boolopt toggle net/bridge/br.c:313 br boolopt multi toggle net/bridge/br.c:364 br changelink net/bridge/br netlink.c:1542 br dev newlink net/bridge/br netlink.c:1575

Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br fdb add() and br fdb delete().