CVE-2025-39773: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability has been identified in the bridge multicast query functionality (CVE-2025-39773). The issue occurs when the multicastqueryinterval is set to a large value, causing a potential overflow in the local variable 'time' within the brmulticastsend_query() function. This vulnerability was recently published to the CVE List and has been included in the NVD dataset (NVD).

The vulnerability manifests when the local variable 'time' in brmulticastsendquery() overflows due to a large multicastqueryinterval value. If the time becomes smaller than jiffies, the timer expires immediately and calls modtimer() again, creating a loop that triggers a soft lockup issue. The issue can be reproduced by creating a bridge interface, enabling multicast querier, setting a large query interval value, and bringing the interface up (NVD).

When exploited, this vulnerability results in a soft lockup condition on the affected CPU, which can cause system performance degradation and potential system instability. The issue specifically manifests as a CPU getting stuck for extended periods, as evidenced by the watchdog reporting 'BUG: soft lockup - CPU#1 stuck for 221s!' (NVD).

The fix involves adding a check for the query interval maximum, similar to the approach taken in commit 99b40610956a ('net: bridge: mcast: add and enforce query interval minimum'). This prevents the overflow condition that leads to the soft lockup (NVD).