CVE-2026-23119 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
bonding: provide a net pointer to __skb_flow_dissect()
After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") we have to provide a net pointer to __skb_flow_dissect(), either via skb->dev, skb->sk, or a user provided pointer.
In the following case, syzbot was able to cook a bare skb.
WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 Call Trace: <TASK> bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]
__bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]
bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]
bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 bpf_prog_run_xdp include/net/xdp.h:700 [inline]
bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability described in CVE-2026-23119 resides within the Linux kernel's bonding driver implementation, specifically in how it handles packet flow dissection operations. This issue manifests when the bonding driver attempts to process packets through the __skb_flow_dissect() function, which requires a network namespace pointer to operate correctly. The problem emerged following a specific kernel commit that introduced network namespace plumbing into the flow dissection mechanism, creating a scenario where certain packet structures lack the necessary network context.
The technical flaw occurs in the bonding driver's handling of XDP (eXpress Data Path) operations, particularly within the bond_xdp_get_xmit_slave function pathway. When syzbot encountered this condition, it was able to construct a bare skb (socket buffer) structure that does not contain the expected network device or socket context required by __skb_flow_dissect(). This results in a kernel oops or warning when the function attempts to access network namespace information that is unavailable through the standard skb->dev or skb->sk pointers. The kernel's flow dissection subsystem at net/core/flow_dissector.c line 1131 fails when it cannot determine the appropriate network namespace context, leading to a potential system crash or undefined behavior.
This vulnerability presents significant operational impact within network-intensive environments where bonding drivers and XDP operations are actively utilized. The issue can be exploited to cause kernel panics or system instability, particularly in configurations that rely heavily on bond interfaces with XDP programs attached. Attackers could potentially leverage this weakness to disrupt network services or cause denial of service conditions, making it particularly concerning for network infrastructure and high-availability systems. The vulnerability affects systems running Linux kernels that include the specific commit referenced in the patch, typically those incorporating network namespace improvements from kernel versions 5.10 and later.
Mitigation strategies should focus on applying the official kernel patch that ensures proper net pointer provision to __skb_flow_dissect() calls within the bonding driver. System administrators should prioritize updating to patched kernel versions that address this specific issue. Additionally, monitoring for kernel oops messages related to flow dissection failures can help identify systems that may be vulnerable or experiencing exploitation attempts. Implementing proper network namespace handling in custom XDP programs and avoiding bare skb constructions without proper network context can also reduce exposure. Organizations should also consider implementing runtime checks for bonding driver operations and ensuring that XDP programs are properly validated before deployment. This vulnerability aligns with CWE-476, which addresses null pointer dereferences, and relates to ATT&CK technique T1059.007 for kernel-mode rootkit detection and T1490 for denial of service through system instability.