PT-2026-39117 · Linux · Linux Kernel

Published

2026-05-08

·

Updated

2026-07-13

·

CVE-2026-43456

CVSS v4.0

8.5

High

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A type confusion issue exists in the bonding driver of the Linux kernel. When a non-Ethernet device, such as a GRE tunnel, is enslaved to a bond, the bond setup by slave() function directly copies the slave's header ops to the bond device. This leads to a type confusion when dev hard header() is subsequently called on the bond device. Functions such as ipgre header() and ip6gre header() utilize netdev priv(dev) to access device-specific private data; however, when called with the bond device, it returns the bond's private data (struct bonding) instead of the expected type (e.g., struct ip tunnel). This results in the reading of garbage values, which can lead to kernel crashes, denial of service, or local privilege escalation to root for users with CAP NET ADMIN permissions, including KASLR leak and arbitrary code execution.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

LPE

DoS

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08414
CVE-2026-43456
SUSE-SU-2026:22521-1
SUSE-SU-2026:22522-1
SUSE-SU-2026:2799-1
SUSE-SU-2026:2800-1
SUSE-SU-2026:2914-1

Affected Products

Linux Kernel