Skip to main content

Linux Kernel CVE-2026-31502

| EUVDEUVD-2026-24879 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pgcq-8hv5-frgj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 14:52 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 14:47 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:23 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24879
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

team: fix header_ops type confusion with non-Ethernet ports

Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion.

For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash.

The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash.

Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context.

Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context.

AnalysisAI

Type confusion in Linux kernel team driver allows local authenticated users to trigger memory corruption and potential privilege escalation. The team_setup_by_port() function incorrectly copies header_ops from non-Ethernet lower devices (such as GRE interfaces) without proper context validation, causing callbacks like dev_hard_header() to interpret netdev_priv() as the wrong structure type when processing stacked network topologies (e.g., gre → bond → team). While CVSS rates this 7.8 (High), EPSS probability is very low at 0.02% (5th percentile), and no active exploitation or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0).

Technical ContextAI

The Linux kernel team driver implements link aggregation similar to bonding. When configuring a team device over non-Ethernet lower devices (e.g., GRE tunnels, IPIP), the team_setup_by_port() function directly copies the port_dev->header_ops function pointers without creating wrapper functions. This causes a dangerous type confusion: when the team device later invokes dev_hard_header() or dev_parse_header(), these callbacks receive the team net_device structure but execute code expecting the original lower device type. The netdev_priv() macro then returns a pointer to team-specific private data, which gets misinterpreted as bonding or GRE private structures, leading to out-of-bounds memory access. This is architecturally similar to CVE-2024-XXXXX in bonding (commit 950803f72547). The fix introduces wrapper functions (team_header_create, team_header_parse) that select the appropriate lower port device under RCU lock before delegating to the real header_ops callbacks, ensuring type safety across recursive network device stacks.

RemediationAI

Update to patched kernel versions: 6.12.80 or later for 6.12.x stable series, 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or upgrade to 7.0 or later. Mainline fix commit is 6d3161fa3eee64d46b766fb0db33ec7f300ef52d. Patch commits for each branch are available at https://git.kernel.org/stable/ (see references for specific commit hashes). If immediate patching is not feasible, implement these compensating controls: (1) Avoid configuring team network devices over non-Ethernet lower devices (GRE, IPIP, SIT tunnels) - reconfigure to use team only with physical Ethernet or VLAN interfaces; trade-off is loss of tunnel aggregation capability. (2) Disable team driver module if not operationally required (echo 'blacklist team' >> /etc/modprobe.d/disable-team.conf and reboot); side effect is inability to use team-based link aggregation. (3) Restrict local user access to network configuration capabilities via appropriate AppArmor/SELinux policies limiting CAP_NET_ADMIN; reduces attack surface but does not eliminate risk from privileged local users. Monitor for kernel crashes in bond_header_create or team_hard_header functions as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy