CVE-2026-43234 (GCVE-0-2026-43234)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
Title
team: avoid NETDEV_CHANGEMTU event when unregistering slave
Summary
In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 , < bce42728ac4887060a24a585c5122fbd24939db7 (git)
Affected: 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 , < 5268892de70f0b29bde341db863b234aa9259c08 (git)
Affected: 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 , < bb4c698633c0e19717586a6524a33196cff01a32 (git)
Create a notification for this product.
Linux Linux Affected: 3.3
Unaffected: 0 , < 3.3 (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/team/team_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bce42728ac4887060a24a585c5122fbd24939db7",
              "status": "affected",
              "version": "3d249d4ca7d0ed6629a135ea1ea21c72286c0d80",
              "versionType": "git"
            },
            {
              "lessThan": "5268892de70f0b29bde341db863b234aa9259c08",
              "status": "affected",
              "version": "3d249d4ca7d0ed6629a135ea1ea21c72286c0d80",
              "versionType": "git"
            },
            {
              "lessThan": "bb4c698633c0e19717586a6524a33196cff01a32",
              "status": "affected",
              "version": "3d249d4ca7d0ed6629a135ea1ea21c72286c0d80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/team/team_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\n\nsyzbot is reporting\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\n  ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_hold include/linux/netdevice.h:4429 [inline]\n       inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\n       inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\n       netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\n       netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\n       dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\n       team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\n       team_del_slave drivers/net/team/team_core.c:1936 [inline]\n       team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\n       call_netdevice_notifiers net/core/dev.c:2295 [inline]\n       __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\n       do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\n       rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n       __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n       rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\n       rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n       netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n\nproblem. Ido Schimmel found steps to reproduce\n\n  ip link add name team1 type team\n  ip link add name dummy1 mtu 1499 master team1 type dummy\n  ip netns add ns1\n  ip link set dev dummy1 netns ns1\n  ip -n ns1 link del dev dummy1\n\nand also found that the same issue was fixed in the bond driver in\ncommit f51048c3e07b (\"bonding: avoid NETDEV_CHANGEMTU event when\nunregistering slave\").\n\nLet\u0027s do similar thing for the team driver, with commit ad7c7b2172c3 (\"net:\nhold netdev instance lock during sysfs operations\") and commit 303a8487a657\n(\"net: s/__dev_set_mtu/__netif_set_mtu/\") also applied."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:20:35.930Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7"
        },
        {
          "url": "https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32"
        }
      ],
      "title": "team: avoid NETDEV_CHANGEMTU event when unregistering slave",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43234",
    "datePublished": "2026-05-06T11:28:30.212Z",
    "dateReserved": "2026-05-01T14:12:55.995Z",
    "dateUpdated": "2026-05-11T22:20:35.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43234",
      "date": "2026-05-23",
      "epss": "0.00013",
      "percentile": "0.02273"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43234\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:43.570\",\"lastModified\":\"2026-05-12T19:02:56.147\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\\n\\nsyzbot is reporting\\n\\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\\n  ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\\n       netdev_hold include/linux/netdevice.h:4429 [inline]\\n       inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\\n       inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\\n       call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\\n       netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\\n       netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\\n       dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\\n       team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\\n       team_del_slave drivers/net/team/team_core.c:1936 [inline]\\n       team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\\n       call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\\n       call_netdevice_notifiers net/core/dev.c:2295 [inline]\\n       __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\\n       do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\\n       rtnl_changelink net/core/rtnetlink.c:3776 [inline]\\n       __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\\n       rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\\n       rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\\n       netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\\n       netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\\n       netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\\n\\nproblem. Ido Schimmel found steps to reproduce\\n\\n  ip link add name team1 type team\\n  ip link add name dummy1 mtu 1499 master team1 type dummy\\n  ip netns add ns1\\n  ip link set dev dummy1 netns ns1\\n  ip -n ns1 link del dev dummy1\\n\\nand also found that the same issue was fixed in the bond driver in\\ncommit f51048c3e07b (\\\"bonding: avoid NETDEV_CHANGEMTU event when\\nunregistering slave\\\").\\n\\nLet\u0027s do similar thing for the team driver, with commit ad7c7b2172c3 (\\\"net:\\nhold netdev instance lock during sysfs operations\\\") and commit 303a8487a657\\n(\\\"net: s/__dev_set_mtu/__netif_set_mtu/\\\") also applied.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.3\",\"versionEndExcluding\":\"6.18.16\",\"matchCriteriaId\":\"7B3BAE31-1743-4215-A8D9-E51668D5BEDE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.6\",\"matchCriteriaId\":\"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.