PT-2026-39117 · Linux · Linux Kernel
Published
2026-05-08
·
Updated
2026-07-13
·
CVE-2026-43456
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
A type confusion issue exists in the bonding driver of the Linux kernel. When a non-Ethernet device, such as a GRE tunnel, is enslaved to a bond, the
bond setup by slave() function directly copies the slave's header ops to the bond device. This leads to a type confusion when dev hard header() is subsequently called on the bond device. Functions such as ipgre header() and ip6gre header() utilize netdev priv(dev) to access device-specific private data; however, when called with the bond device, it returns the bond's private data (struct bonding) instead of the expected type (e.g., struct ip tunnel). This results in the reading of garbage values, which can lead to kernel crashes, denial of service, or local privilege escalation to root for users with CAP NET ADMIN permissions, including KASLR leak and arbitrary code execution.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
LPE
DoS
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linux Kernel