CVE-2026-45970 (GCVE-0-2026-45970)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:18 – Updated: 2026-05-27 12:18
VLAI
Title
bonding: alb: fix UAF in rlb_arp_recv during bond up/down
Summary
In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX handlers are still running, leading to a null pointer dereference detected by KASAN. However, the root cause is that rlb_arp_recv() can still be accessed after setting recv_probe to NULL, which is actually a use-after-free (UAF) issue. That is the reason for using the referenced commit in the Fixes tag. [ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI [ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] [ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary) [ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022 [ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding] [ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00 [ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206 [ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e [ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8 [ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8 [ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119 [ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810 [ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000 [ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0 [ 214.310347] Call Trace: [ 214.313070] <IRQ> [ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding] [ 214.320975] bond_handle_frame+0x166/0xb60 [bonding] [ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] [ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710 [ 214.339199] ? __pfx_arp_process+0x10/0x10 [ 214.343775] ? sched_balance_find_src_group+0x98/0x630 [ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10 [ 214.356513] ? arp_rcv+0x307/0x690 [ 214.360311] ? __pfx_arp_rcv+0x10/0x10 [ 214.364499] ? __lock_acquire+0x58c/0xbd0 [ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0 [ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 214.380743] ? lock_acquire+0x10b/0x140 [ 214.385026] process_backlog+0x3f1/0x13a0 [ 214.389502] ? process_backlog+0x3aa/0x13a0 [ 214.394174] __napi_poll.constprop.0+0x9f/0x370 [ 214.399233] net_rx_action+0x8c1/0xe60 [ 214.403423] ? __pfx_net_rx_action+0x10/0x10 [ 214.408193] ? lock_acquire.part.0+0xbd/0x260 [ 214.413058] ? sched_clock_cpu+0x6c/0x540 [ 214.417540] ? mark_held_locks+0x40/0x70 [ 214.421920] handle_softirqs+0x1fd/0x860 [ 214.426302] ? __pfx_handle_softirqs+0x10/0x10 [ 214.431264] ? __neigh_event_send+0x2d6/0xf50 [ 214.436131] do_softirq+0xb1/0xf0 [ 214.439830] </IRQ> The issue is reproducible by repeatedly running ip link set bond0 up/down while receiving ARP messages, where rlb_arp_recv() can race with rlb_deinitialize() and dereference a freed rx_hashtbl entry. Fix this by setting recv_probe to NULL and then calling synchronize_net() to wait for any concurrent RX processing to finish. This ensures that no RX handler can access rx_hashtbl after it is freed in bond_alb_deinitialize().
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < de7c097800f07f3c108185c7a38b53a530ba30ff (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < db5435b5342e3aaa4521d0f3ccfe94316b253ca1 (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < f94a0de7b9f32745a14a1621c63087a092823587 (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < c65cdf46ce340c9c00fbbaf84599d2daff43626e (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < fef13c403be3fb685cb06419e6b3623106aab5ba (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < d31065526f160ee0244a719230aa069daca2bf4d (git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < e6834a4c474697df23ab9948fd3577b26bf48656 (git)
Create a notification for this product.
Linux Linux Affected: 3.0
Unaffected: 0 , < 3.0 (semver)
Unaffected: 5.10.252 , ≤ 5.10.* (semver)
Unaffected: 5.15.202 , ≤ 5.15.* (semver)
Unaffected: 6.1.165 , ≤ 6.1.* (semver)
Unaffected: 6.6.128 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "de7c097800f07f3c108185c7a38b53a530ba30ff",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "db5435b5342e3aaa4521d0f3ccfe94316b253ca1",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "f94a0de7b9f32745a14a1621c63087a092823587",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "c65cdf46ce340c9c00fbbaf84599d2daff43626e",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "fef13c403be3fb685cb06419e6b3623106aab5ba",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "d31065526f160ee0244a719230aa069daca2bf4d",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            },
            {
              "lessThan": "e6834a4c474697df23ab9948fd3577b26bf48656",
              "status": "affected",
              "version": "3aba891dde3842d89ad022237b99c1ed308040b0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: alb: fix UAF in rlb_arp_recv during bond up/down\n\nThe ALB RX path may access rx_hashtbl concurrently with bond\nteardown. During rapid bond up/down cycles, rlb_deinitialize()\nfrees rx_hashtbl while RX handlers are still running, leading\nto a null pointer dereference detected by KASAN.\n\nHowever, the root cause is that rlb_arp_recv() can still be accessed\nafter setting recv_probe to NULL, which is actually a use-after-free\n(UAF) issue. That is the reason for using the referenced commit in the\nFixes tag.\n\n[  214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI\n[  214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]\n[  214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)\n[  214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022\n[  214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]\n[  214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6\n 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00\n[  214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206\n[  214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e\n[  214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8\n[  214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8\n[  214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119\n[  214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810\n[  214.286943] FS:  00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000\n[  214.295966] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0\n[  214.310347] Call Trace:\n[  214.313070]  \u003cIRQ\u003e\n[  214.315318]  ? __pfx_rlb_arp_recv+0x10/0x10 [bonding]\n[  214.320975]  bond_handle_frame+0x166/0xb60 [bonding]\n[  214.326537]  ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\n[  214.332680]  __netif_receive_skb_core.constprop.0+0x576/0x2710\n[  214.339199]  ? __pfx_arp_process+0x10/0x10\n[  214.343775]  ? sched_balance_find_src_group+0x98/0x630\n[  214.349513]  ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10\n[  214.356513]  ? arp_rcv+0x307/0x690\n[  214.360311]  ? __pfx_arp_rcv+0x10/0x10\n[  214.364499]  ? __lock_acquire+0x58c/0xbd0\n[  214.368975]  __netif_receive_skb_one_core+0xae/0x1b0\n[  214.374518]  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n[  214.380743]  ? lock_acquire+0x10b/0x140\n[  214.385026]  process_backlog+0x3f1/0x13a0\n[  214.389502]  ? process_backlog+0x3aa/0x13a0\n[  214.394174]  __napi_poll.constprop.0+0x9f/0x370\n[  214.399233]  net_rx_action+0x8c1/0xe60\n[  214.403423]  ? __pfx_net_rx_action+0x10/0x10\n[  214.408193]  ? lock_acquire.part.0+0xbd/0x260\n[  214.413058]  ? sched_clock_cpu+0x6c/0x540\n[  214.417540]  ? mark_held_locks+0x40/0x70\n[  214.421920]  handle_softirqs+0x1fd/0x860\n[  214.426302]  ? __pfx_handle_softirqs+0x10/0x10\n[  214.431264]  ? __neigh_event_send+0x2d6/0xf50\n[  214.436131]  do_softirq+0xb1/0xf0\n[  214.439830]  \u003c/IRQ\u003e\n\nThe issue is reproducible by repeatedly running\nip link set bond0 up/down while receiving ARP messages, where\nrlb_arp_recv() can race with rlb_deinitialize() and dereference\na freed rx_hashtbl entry.\n\nFix this by setting recv_probe to NULL and then calling\nsynchronize_net() to wait for any concurrent RX processing to finish.\nThis ensures that no RX handler can access rx_hashtbl after it is freed\nin bond_alb_deinitialize()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:18:29.878Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c"
        },
        {
          "url": "https://git.kernel.org/stable/c/de7c097800f07f3c108185c7a38b53a530ba30ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/db5435b5342e3aaa4521d0f3ccfe94316b253ca1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f94a0de7b9f32745a14a1621c63087a092823587"
        },
        {
          "url": "https://git.kernel.org/stable/c/c65cdf46ce340c9c00fbbaf84599d2daff43626e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fef13c403be3fb685cb06419e6b3623106aab5ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/d31065526f160ee0244a719230aa069daca2bf4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6834a4c474697df23ab9948fd3577b26bf48656"
        }
      ],
      "title": "bonding: alb: fix UAF in rlb_arp_recv during bond up/down",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45970",
    "datePublished": "2026-05-27T12:18:29.878Z",
    "dateReserved": "2026-05-13T15:03:33.089Z",
    "dateUpdated": "2026-05-27T12:18:29.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45970",
      "date": "2026-05-29",
      "epss": "0.00024",
      "percentile": "0.07393"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45970\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:13.920\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: alb: fix UAF in rlb_arp_recv during bond up/down\\n\\nThe ALB RX path may access rx_hashtbl concurrently with bond\\nteardown. During rapid bond up/down cycles, rlb_deinitialize()\\nfrees rx_hashtbl while RX handlers are still running, leading\\nto a null pointer dereference detected by KASAN.\\n\\nHowever, the root cause is that rlb_arp_recv() can still be accessed\\nafter setting recv_probe to NULL, which is actually a use-after-free\\n(UAF) issue. That is the reason for using the referenced commit in the\\nFixes tag.\\n\\n[  214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI\\n[  214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]\\n[  214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)\\n[  214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022\\n[  214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]\\n[  214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6\\n 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00\\n[  214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206\\n[  214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e\\n[  214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8\\n[  214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8\\n[  214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119\\n[  214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810\\n[  214.286943] FS:  00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000\\n[  214.295966] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0\\n[  214.310347] Call Trace:\\n[  214.313070]  \u003cIRQ\u003e\\n[  214.315318]  ? __pfx_rlb_arp_recv+0x10/0x10 [bonding]\\n[  214.320975]  bond_handle_frame+0x166/0xb60 [bonding]\\n[  214.326537]  ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\\n[  214.332680]  __netif_receive_skb_core.constprop.0+0x576/0x2710\\n[  214.339199]  ? __pfx_arp_process+0x10/0x10\\n[  214.343775]  ? sched_balance_find_src_group+0x98/0x630\\n[  214.349513]  ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10\\n[  214.356513]  ? arp_rcv+0x307/0x690\\n[  214.360311]  ? __pfx_arp_rcv+0x10/0x10\\n[  214.364499]  ? __lock_acquire+0x58c/0xbd0\\n[  214.368975]  __netif_receive_skb_one_core+0xae/0x1b0\\n[  214.374518]  ? __pfx___netif_receive_skb_one_core+0x10/0x10\\n[  214.380743]  ? lock_acquire+0x10b/0x140\\n[  214.385026]  process_backlog+0x3f1/0x13a0\\n[  214.389502]  ? process_backlog+0x3aa/0x13a0\\n[  214.394174]  __napi_poll.constprop.0+0x9f/0x370\\n[  214.399233]  net_rx_action+0x8c1/0xe60\\n[  214.403423]  ? __pfx_net_rx_action+0x10/0x10\\n[  214.408193]  ? lock_acquire.part.0+0xbd/0x260\\n[  214.413058]  ? sched_clock_cpu+0x6c/0x540\\n[  214.417540]  ? mark_held_locks+0x40/0x70\\n[  214.421920]  handle_softirqs+0x1fd/0x860\\n[  214.426302]  ? __pfx_handle_softirqs+0x10/0x10\\n[  214.431264]  ? __neigh_event_send+0x2d6/0xf50\\n[  214.436131]  do_softirq+0xb1/0xf0\\n[  214.439830]  \u003c/IRQ\u003e\\n\\nThe issue is reproducible by repeatedly running\\nip link set bond0 up/down while receiving ARP messages, where\\nrlb_arp_recv() can race with rlb_deinitialize() and dereference\\na freed rx_hashtbl entry.\\n\\nFix this by setting recv_probe to NULL and then calling\\nsynchronize_net() to wait for any concurrent RX processing to finish.\\nThis ensures that no RX handler can access rx_hashtbl after it is freed\\nin bond_alb_deinitialize().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/c65cdf46ce340c9c00fbbaf84599d2daff43626e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d31065526f160ee0244a719230aa069daca2bf4d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db5435b5342e3aaa4521d0f3ccfe94316b253ca1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/de7c097800f07f3c108185c7a38b53a530ba30ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6834a4c474697df23ab9948fd3577b26bf48656\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f94a0de7b9f32745a14a1621c63087a092823587\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fef13c403be3fb685cb06419e6b3623106aab5ba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.