CVE-2026-23099 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
bonding: limit BOND_MODE_8023AD to Ethernet devices
BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
syzbot reported:
BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
__hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e </TASK>
The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability CVE-2026-23099 resides within the Linux kernel's bonding driver, specifically concerning the handling of the BOND_MODE_8023AD mode. This mode, which implements the IEEE 802.3ad Link Aggregation Control Protocol, is designed to aggregate multiple network links into a single logical link. The flaw occurs when attempting to configure this mode on non-Ethernet network devices, leading to a global out-of-bounds memory access. The kernel's memory safety checker KASAN detects this issue by reporting a read operation of size 16 at an invalid address, indicating that memory is being accessed beyond its allocated bounds. The error trace points directly to the bonding driver's enslavement function and the underlying network device address management system, where the code attempts to process multicast addresses without proper validation of device type.
The technical root cause stems from the lack of device type validation in the bonding driver implementation. The BOND_MODE_8023AD is fundamentally designed for Ethernet devices, as indicated by the ARPHRD_ETHER requirement, but the kernel did not enforce this constraint. When a non-Ethernet device is configured with this mode, the code attempts to manipulate hardware multicast addresses using functions like __hw_addr_create and __hw_addr_add_ex, which expect Ethernet-specific data structures. The variable lacpdu_mcast_addr, which represents the multicast address used for LACP communication, is accessed with incorrect assumptions about its size and memory layout, resulting in memory corruption. This type of vulnerability aligns with CWE-129, which covers improper validation of array indices, and CWE-787, which addresses out-of-bounds write operations. The flaw manifests as a kernel panic or potential privilege escalation depending on exploitation context.
The operational impact of this vulnerability is significant within environments that utilize bonding drivers for network aggregation, particularly when administrators might inadvertently configure non-Ethernet interfaces with 802.3ad mode. The out-of-bounds memory access can lead to system instability, kernel crashes, or potentially allow a malicious actor to exploit the memory corruption for privilege escalation or denial-of-service attacks. Since the vulnerability is triggered during device enslavement operations, any automated network configuration or dynamic interface management could expose systems to this risk. The issue is particularly concerning in cloud and virtualized environments where network interfaces are frequently created and managed programmatically, as these scenarios increase the probability of misconfiguration leading to exploitation.
Mitigation strategies should focus on enforcing strict device type validation within the bonding driver. The fix implemented in the kernel enforces that BOND_MODE_8023AD is only permitted on devices with ARPHRD_ETHER type, preventing the erroneous configuration that leads to the memory access violation. Administrators should ensure that network interface configurations are reviewed for proper bonding mode assignments and that automated deployment scripts validate device compatibility before applying bonding configurations. Network administrators should also monitor for unusual bonding mode assignments and implement proper access controls to prevent unauthorized modifications to network interface settings. From an ATT&CK perspective, this vulnerability could be leveraged as part of a privilege escalation technique, specifically under T1068, which involves exploiting local system privileges. The mitigation aligns with defensive practices for preventing improper input validation and ensuring proper resource handling in kernel space operations.