CVE-2025-39773
📋 TL;DR
A Linux kernel vulnerability in the bridge networking module allows a local attacker to cause a denial of service (soft lockup) by setting multicast query intervals to extremely large values. This affects systems using Linux bridge networking with multicast querier enabled. The vulnerability requires local access to configure bridge settings.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system lockup requiring hard reboot, disrupting all network services on affected systems
Likely Case
Local denial of service affecting bridge networking functionality, potentially disrupting container/virtualization networking
If Mitigated
Minimal impact with proper access controls preventing unauthorized bridge configuration
🎯 Exploit Status
Requires local access and CAP_NET_ADMIN capabilities to configure bridge parameters
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions with fixes from the referenced commits
Vendor Advisory: https://git.kernel.org/stable/c/34171b9e53bd1dc264f5556579f2b04f04435c73
Restart Required: No
Instructions:
1. Update Linux kernel to version containing the fix commits
2. For running systems, apply kernel live patch if available from distribution vendor
3. No service restart required for kernel update
🔧 Temporary Workarounds
Restrict bridge configuration access
allLimit CAP_NET_ADMIN capabilities to prevent unauthorized bridge configuration
# Use Linux capabilities to restrict access
# Example: Remove CAP_NET_ADMIN from non-privileged users
setcap -r /path/to/bridge-tool
Monitor bridge configuration changes
allImplement monitoring for bridge parameter changes, especially multicast_query_interval
# Monitor sysfs bridge parameters
inotifywait -m /sys/class/net/*/bridge/multicast_query_interval
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from configuring bridge parameters
- Monitor systems for soft lockup warnings in kernel logs and implement automated alerting
🔍 How to Verify
Check if Vulnerable:
Check if bridge interfaces have multicast_querier enabled and verify kernel version is before fixesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits and test that setting large multicast_query_interval values no longer causes soft lockups📡 Detection & Monitoring
Log Indicators:
- Kernel soft lockup messages in /var/log/kern.log or dmesg
- Watchdog BUG messages mentioning br_multicast_query_expired
Network Indicators:
- Bridge interface becoming unresponsive
- Multicast traffic disruption on bridge networks
SIEM Query:
source="kernel" AND "soft lockup" AND "br_multicast"🔗 References
- https://git.kernel.org/stable/c/34171b9e53bd1dc264f5556579f2b04f04435c73
- https://git.kernel.org/stable/c/43e281fde5e76a866a4d10780c35023f16c0e432
- https://git.kernel.org/stable/c/5bf5fce8a0c2a70d063af778fdb5b27238174cdd
- https://git.kernel.org/stable/c/96476b043efb86a94f2badd260f7f99c97bd5893
- https://git.kernel.org/stable/c/bdb19cd0de739870bb3494c815138b9dc30875c4
- https://git.kernel.org/stable/c/d1547bf460baec718b3398365f8de33d25c5f36f
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
