The bridge multicast implementation in the Linux kernel through 3.10.3 does not check whether a certain timer is armed before modifying the timeout value of that timer, which allows local users to cause a denial of service (BUG and system crash) via vectors involving the shutdown of a KVM virtual machine, related to net/bridge/br_mdb.c and net/bridge/br_multicast.c.
https://exchange.xforce.ibmcloud.com/vulnerabilities/85763
https://bugzilla.redhat.com/show_bug.cgi?id=984743
http://www.securityfocus.com/bid/61193