CVE-2026-23171 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix use-after-free due to enslave fail after slave array update

Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array. Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslave error cleanup path which frees the allocated slave memory. Slave update array is supposed to be called last when further enslave failures are not expected. Move it after xdp setup to avoid any problems.

It is very easy to reproduce the problem with a simple xdp_pass prog: ip l add bond1 type bond mode balance-xor ip l set bond1 up ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass ip l add dumdum type dummy

Then run in parallel: while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"

The crash happens almost immediately: [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
[ 605.602979] Tainted: [B]=BAD_PAGE
[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
[ 605.603373] Call Trace:
[ 605.603392] <TASK>
[ 605.603410] __dev_queue_xmit+0x448/0x32a0
[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603546] ? _printk+0xcb/0x100
[ 605.603566] ? __pfx__printk+0x10/0x10
[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603627] ? add_taint+0x5e/0x70
[ 605.603648] ? add_taint+0x2a/0x70
[ 605.603670] ? end_report.cold+0x51/0x75
[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/17/2026

The vulnerability described in CVE-2026-23171 resides within the Linux kernel's bonding driver, specifically addressing a use-after-free condition that occurs during the enslavement process of network interfaces. This flaw manifests when a new slave interface is added to the bonding array but the subsequent enslave operation fails, leading to premature memory deallocation of the slave structure. The core issue stems from the order of operations within the bonding driver's implementation, where the slave array update occurs before XDP (eXpress Data Path) setup, creating a window where a freed memory reference can still be accessed by the transmission path, resulting in a kernel panic or system crash.

The technical flaw is rooted in improper sequencing of memory management operations within the bonding driver's enslave mechanism. According to CWE-416, this represents a classic use-after-free vulnerability where memory is accessed after it has been freed, violating fundamental memory safety principles. The vulnerability is particularly dangerous because it can be triggered by concurrent operations involving XDP programs and interface enslavement, making it exploitable in high-throughput network environments where bonding is actively managing multiple slave interfaces. The specific crash occurs in the netdev_core_pick_tx function, indicating that freed memory is being dereferenced during packet transmission, which aligns with the ATT&CK technique T1059.007 for kernel-level code execution through memory corruption.

The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling denial-of-service attacks against network services that rely on bonding configurations. Attackers can exploit this condition by rapidly creating and destroying slave interface assignments while simultaneously applying XDP programs, causing the kernel to access freed memory structures during packet forwarding operations. The reproduction scenario demonstrates how simple commands like ip link set operations combined with mausezahn network traffic can trigger the crash within seconds, making this a particularly effective vector for disrupting network services. This vulnerability affects systems running Linux kernel versions where the bonding driver is present, especially those implementing XDP for high-performance packet processing, and could be leveraged in environments where network reliability is paramount.

Mitigation strategies for this vulnerability involve applying the kernel patch that reorders the operations to ensure the slave array update occurs after XDP setup, thereby preventing the use-after-free scenario. System administrators should prioritize updating to kernel versions that include this fix, as the vulnerability cannot be effectively mitigated through configuration changes alone. The patch implementation aligns with security best practices by enforcing proper memory lifecycle management and ensuring that resource cleanup operations do not occur until all potential references have been resolved. Organizations should also implement monitoring for unusual bonding driver behavior and consider temporarily disabling XDP functionality on affected systems until patches are deployed. Additionally, the fix demonstrates the importance of careful ordering in kernel subsystems where concurrent operations can lead to memory safety violations, reinforcing the need for comprehensive testing of complex driver interactions under stress conditions.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00117

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!