FKIE_CVE-2026-43456

Vulnerability from fkie_nvd - Published: 2026-05-08 15:16 - Updated: 2026-05-12 14:10
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9 When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave's header_ops to the bond device: bond_dev->header_ops = slave_dev->header_ops; This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond's private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes. Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave's header_ops using the slave's own device. This ensures netdev_priv() in the slave's header functions always receives the correct device. The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout. The type confusion can be observed by adding a printk in ipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix type confusion in bond_setup_by_slave()\n\nkernel BUG at net/core/skbuff.c:2306!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306\nRSP: 0018:ffffc90004aff760 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e\nRDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900\nRBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000\nR10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780\nR13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900\n dev_hard_header include/linux/netdevice.h:3439 [inline]\n packet_snd net/packet/af_packet.c:3028 [inline]\n packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592\n ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646\n __sys_sendmsg+0x170/0x220 net/socket.c:2678\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe1a0e6c1a9\n\nWhen a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,\nbond_setup_by_slave() directly copies the slave\u0027s header_ops to the\nbond device:\n\n    bond_dev-\u003eheader_ops = slave_dev-\u003eheader_ops;\n\nThis causes a type confusion when dev_hard_header() is later called\non the bond device. Functions like ipgre_header(), ip6gre_header(),all use\nnetdev_priv(dev) to access their device-specific private data. When\ncalled with the bond device, netdev_priv() returns the bond\u0027s private\ndata (struct bonding) instead of the expected type (e.g. struct\nip_tunnel), leading to garbage values being read and kernel crashes.\n\nFix this by introducing bond_header_ops with wrapper functions that\ndelegate to the active slave\u0027s header_ops using the slave\u0027s own\ndevice. This ensures netdev_priv() in the slave\u0027s header functions\nalways receives the correct device.\n\nThe fix is placed in the bonding driver rather than individual device\ndrivers, as the root cause is bond blindly inheriting header_ops from\nthe slave without considering that these callbacks expect a specific\nnetdev_priv() layout.\n\nThe type confusion can be observed by adding a printk in\nipgre_header() and running the following commands:\n\n    ip link add dummy0 type dummy\n    ip addr add 10.0.0.1/24 dev dummy0\n    ip link set dummy0 up\n    ip link add gre1 type gre local 10.0.0.1\n    ip link add bond1 type bond mode active-backup\n    ip link set gre1 master bond1\n    ip link set gre1 up\n    ip link set bond1 up\n    ip addr add fe80::1/64 dev bond1"
    }
  ],
  "id": "CVE-2026-43456",
  "lastModified": "2026-05-12T14:10:27.343",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T15:16:58.387",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.