CVE-2025-39773 in Linux
Summary
by MITRE • 09/11/2025
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: fix soft lockup in br_multicast_query_expired()
When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue.
watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]
CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: <IRQ> __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ>
This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up
The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/16/2026
The vulnerability identified as CVE-2025-39773 resides within the Linux kernel's bridge networking subsystem, specifically in the multicast handling functionality. This issue manifests as a soft lockup condition that occurs when the multicast query interval is configured to an excessively large value, creating a scenario where timer management becomes dysfunctional and leads to system unresponsiveness. The root cause lies in the improper handling of time calculations within the br_multicast_send_query() function, where a local variable named 'time' can overflow when dealing with large interval values, causing the system to enter an infinite loop of timer modifications.
The technical flaw operates through a specific sequence of events that begins with the configuration of an extremely large multicast query interval value through the sysfs interface. When the system attempts to process this value, the time calculation overflows, resulting in a situation where the timer expiration condition is met immediately. This immediate expiration triggers the mod_timer() function to be called repeatedly in a loop, as the system continuously attempts to re-schedule the timer without proper bounds checking. The overflow condition creates a scenario where jiffies, which represents the system's time counter, becomes smaller than the calculated time value, leading to the timer being scheduled to expire immediately and thus creating the soft lockup condition.
The operational impact of this vulnerability is significant as it can render the affected system completely unresponsive, requiring either a manual reboot or system reset to restore functionality. The soft lockup condition prevents the system from processing any further interrupts or tasks, effectively halting all network operations and potentially causing service disruptions. The vulnerability affects systems running Linux kernel versions that include the affected bridge multicast functionality, particularly those utilizing bridge networking components with multicast query interval configurations. The issue is particularly concerning in network infrastructure equipment or systems where bridge functionality is extensively used, as it can lead to complete system failure.
This vulnerability aligns with CWE-191, which addresses integer underflow or overflow conditions, and relates to ATT&CK technique T1490, which covers Data Destruction, as the system unresponsiveness can effectively result in service disruption. The fix implemented addresses the issue by adding bounds checking for the maximum query interval value, similar to previous fixes in the codebase that enforced minimum query interval requirements. The solution involves adding validation checks to prevent the overflow condition from occurring, ensuring that the multicast query interval values remain within reasonable bounds that prevent the timer management system from entering an infinite loop. This approach follows established security practices for preventing integer overflow conditions in kernel space operations and aligns with the broader security principles of input validation and boundary checking in critical system components.
The mitigation strategy for this vulnerability involves ensuring that all systems running affected Linux kernel versions are updated with the patched kernel that includes the bounds checking for multicast query intervals. System administrators should also review and validate all bridge configuration parameters, particularly those related to multicast query intervals, to ensure they fall within recommended ranges. Monitoring systems should be implemented to detect abnormal behavior in network bridge components, and automated alerts should be configured for any unusual timer behavior or system lockup conditions. Additionally, regular kernel updates should be performed to ensure that all known vulnerabilities are addressed, and security assessments should include verification of bridge multicast configuration parameters to prevent exploitation of similar timing-based vulnerabilities. The fix demonstrates the importance of proper integer handling in kernel space and emphasizes the need for comprehensive input validation in system-critical components that manage timing and scheduling operations.