diff --git a/UPDATING b/UPDATING
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,11 @@
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20250513:
+	The bridge(4) sysctl net.link.bridge.member_ifaddrs now defaults to 0,
+	meaning that interfaces added to a bridge may not have IP addresses
+	assigned.  Refer to bridge(4) for more information.
+
 20250507:
 	UMASS quirks and auto-quirk probing has been overhauled. CAM now won't
 	send SYNCHRONIZE CACHE unless MODE PAGE 8 is present and valid. This
diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4
--- a/share/man/man4/bridge.4
+++ b/share/man/man4/bridge.4
@@ -36,7 +36,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 5, 2025
+.Dd May 13, 2025
 .Dt IF_BRIDGE 4
 .Os
 .Sh NAME
@@ -163,14 +163,20 @@
 should be assigned to the
 .Nm
 interface itself, not to the bridge's member interfaces.
-Assigning IP addresses to bridge member interfaces is unsupported, but
-for backward compatibility, it is permitted if the
+Attempting to assign an IP address to a bridge member interface, or add
+a member interface with an assigned IP address to a bridge, will return
+an
+.Dv EINVAL
+.Dq ( "Invalid argument" )
+error.
+For compatibility with older releases where this was permitted, setting
+the
 .Xr sysctl 8
 variable
 .Va net.link.bridge.member_ifaddrs
-is set to 1, which is the default.
-In a future release, this sysctl may be set to 0 by default, or may be
-removed entirely.
+to 1 will permit this configuration.
+This sysctl variable will be removed in
+.Fx 16.0.
 .Sh IPV6 SUPPORT
 .Nm
 supports the
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -504,10 +504,10 @@
     "Log MAC address port flapping");
 
 /* allow IP addresses on bridge members */
-VNET_DEFINE_STATIC(bool, member_ifaddrs) = true;
+VNET_DEFINE_STATIC(bool, member_ifaddrs) = false;
 #define	V_member_ifaddrs	VNET(member_ifaddrs)
 SYSCTL_BOOL(_net_link_bridge, OID_AUTO, member_ifaddrs,
-    CTLFLAG_RW | CTLFLAG_VNET, &VNET_NAME(member_ifaddrs), true,
+    CTLFLAG_RW | CTLFLAG_VNET, &VNET_NAME(member_ifaddrs), false,
     "Allow layer 3 addresses on bridge members");
 
 static bool