Skip to main content

Linux Kernel CVE-2026-31419

| EUVDEUVD-2026-21943 HIGH
Use After Free (CWE-416)
2026-04-13 Linux GHSA-47j5-hmhq-4c74
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:24 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
2884bf72fb8f03409e423397319205de48adca16
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21943
Analysis Generated
Apr 13, 2026 - 13:45 vuln.today
CVE Published
Apr 13, 2026 - 13:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix use-after-free in bond_xmit_broadcast()

bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is "last" mid-loop. This causes the original skb to be double-consumed (double-freed).

Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the "last" determination stable against concurrent list mutations.

The UAF can trigger the following crash:

============== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147

CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK>

Allocated by task 147:

Freed by task 147:

The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)

Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==============

AnalysisAI

Use-after-free in Linux kernel bonding driver allows local authenticated attackers with low privileges to trigger memory corruption via race condition during concurrent slave device operations. The vulnerability (CVSS 7.8, EPSS 0.02%) affects the bond_xmit_broadcast() function where concurrent slave enslave/release operations can mutate the slave list during RCU-protected iteration, causing the original skb to be double-consumed and double-freed. Vendor patches are available for kernel versions 6.18.22, 6.19.12, and 7.0. No public exploit or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel bonding driver (drivers/net/bonding/bond_main.c), specifically in the bond_xmit_broadcast() function responsible for transmitting broadcast packets across bonded network interfaces. Linux bonding aggregates multiple network interfaces (slaves) into a single logical interface for redundancy and bandwidth aggregation. The affected code path uses RCU (Read-Copy-Update) synchronization to iterate over the slave list while reusing the original socket buffer (skb) for the last slave and cloning it for others-a zero-copy optimization. The race condition occurs when bond_is_last_slave() checks are performed during iteration: concurrent slave addition/removal operations can change which device is considered 'last' mid-loop, violating the assumption that exactly one slave receives the original skb. This causes skb_clone() to be called on already-freed memory, triggering KASAN slab-use-after-free detection. The fix replaces the racy bond_is_last_slave() check with a stable index comparison (i + 1 == slaves_count) against a pre-snapshot count taken via READ_ONCE() before loop entry, making the 'last slave' determination immune to concurrent list mutations while preserving the performance optimization.

RemediationAI

Apply vendor-released patches to Linux kernel versions 6.18.22, 6.19.12, or 7.0 or later from your distribution's stable kernel repository. Patch commits d4cc7e4c80b1634c7b1497574a2fdb18df6c026c, f5b94654a4a19891a8108d66ef166de6c028c6cd, and 2884bf72fb8f03409e423397319205de48adca16 are available at https://git.kernel.org/stable/. If immediate patching is not feasible, implement compensating controls: (1) minimize bonding topology changes during active traffic-schedule slave additions/removals during maintenance windows to reduce race window exposure (trade-off: limits operational flexibility for dynamic failover scenarios); (2) restrict local user access to systems using bonding interfaces-limit shell access and disable unnecessary user accounts to reduce attack surface given the PR:L privilege requirement (trade-off: may impact legitimate administrative workflows); (3) monitor kernel logs for KASAN use-after-free reports in bond_xmit_broadcast() as potential exploitation indicators-configure syslog alerting for 'BUG: KASAN: slab-use-after-free in skb_clone' patterns (trade-off: detection-only control, does not prevent exploitation). Note that disabling bonding entirely eliminates vulnerability but sacrifices network redundancy and aggregation benefits. Prioritize patching over workarounds for production systems.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy