CVE-2026-46086

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers

Local FDB entries can be rewritten in place by fdb delete local(), which updates f->dst to another port or to NULL while keeping the entry alive. Several bridge RCU readers inspect f->dst, including br fdb fillbuf() through the brforward read() sysfs path.

These readers currently load f->dst multiple times and can therefore observe inconsistent values across the check and later dereference. In br fdb fillbuf(), this means a concurrent local-FDB update can change f->dst after the NULL check and before the port no dereference, leading to a NULL-ptr-deref.

Fix this by taking a single READ ONCE() snapshot of f->dst in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place f->dst updates in fdb delete local() with WRITE ONCE() so the readers and writer use matching access patterns.