Skip to main content

Linux Kernel CVE-2026-45970

| EUVDEUVD-2026-32254 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mc9g-h8jv-5cp3
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 30, 2026 - 11:34 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bonding: alb: fix UAF in rlb_arp_recv during bond up/down

The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX handlers are still running, leading to a null pointer dereference detected by KASAN.

However, the root cause is that rlb_arp_recv() can still be accessed after setting recv_probe to NULL, which is actually a use-after-free (UAF) issue. That is the reason for using the referenced commit in the Fixes tag.

[ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI [ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] [ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary) [ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022 [ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding] [ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00 [ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206 [ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e [ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8 [ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8 [ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119 [ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810 [ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000 [ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0 [ 214.310347] Call Trace: [ 214.313070] <IRQ> [ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding] [ 214.320975] bond_handle_frame+0x166/0xb60 [bonding] [ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] [ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710 [ 214.339199] ? __pfx_arp_process+0x10/0x10 [ 214.343775] ? sched_balance_find_src_group+0x98/0x630 [ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10 [ 214.356513] ? arp_rcv+0x307/0x690 [ 214.360311] ? __pfx_arp_rcv+0x10/0x10 [ 214.364499] ? __lock_acquire+0x58c/0xbd0 [ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0 [ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 214.380743] ? lock_acquire+0x10b/0x140 [ 214.385026] process_backlog+0x3f1/0x13a0 [ 214.389502] ? process_backlog+0x3aa/0x13a0 [ 214.394174] __napi_poll.constprop.0+0x9f/0x370 [ 214.399233] net_rx_action+0x8c1/0xe60 [ 214.403423] ? __pfx_net_rx_action+0x10/0x10 [ 214.408193] ? lock_acquire.part.0+0xbd/0x260 [ 214.413058] ? sched_clock_cpu+0x6c/0x540 [ 214.417540] ? mark_held_locks+0x40/0x70 [ 214.421920] handle_softirqs+0x1fd/0x860 [ 214.426302] ? __pfx_handle_softirqs+0x10/0x10 [ 214.431264] ? __neigh_event_send+0x2d6/0xf50 [ 214.436131] do_softirq+0xb1/0xf0 [ 214.439830] </IRQ>

The issue is reproducible by repeatedly running ip link set bond0 up/down while receiving ARP messages, where rlb_arp_recv() can race with rlb_deinitialize() and dereference a freed rx_hashtbl entry.

Fix this by setting recv_probe to NULL and then calling synchronize_net() to wait for any concurrent RX processing to finish. This ensures that no RX handler can access rx_hashtbl after it is freed in bond_alb_deinitialize().

AnalysisAI

Use-after-free in the Linux kernel bonding driver's Adaptive Load Balancing (ALB) subsystem allows a local low-privileged user to crash the kernel by racing rlb_arp_recv() against rlb_deinitialize() during rapid bond interface up/down cycling. Specifically, the RX handler continues to dereference rx_hashtbl entries after rlb_deinitialize() frees them, because recv_probe is set to NULL without first draining in-flight softirq handlers via synchronize_net(). Systems running bonded NICs in ALB mode (mode=6) on affected kernel versions - including Dell PowerEdge hardware and Canonical-distributed kernels - are at risk of kernel panic. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms no observed mass exploitation.

Technical ContextAI

The Linux bonding driver supports multiple bonding modes; ALB (Adaptive Load Balancing, mode=6) includes a Receive Load Balancing (RLB) component that uses ARP interception to steer incoming traffic. The RLB subsystem maintains a hash table (rx_hashtbl) keyed on client MAC/IP pairs, populated and queried by rlb_arp_recv() in the softirq/IRQ network receive path (bond_handle_frame → __netif_receive_skb_core → rlb_arp_recv). During bond teardown, rlb_deinitialize() frees rx_hashtbl and sets recv_probe to NULL. The root cause is a classic time-of-check/time-of-use race: recv_probe is nulled without waiting for concurrent RX handlers still executing in softirq context to complete, resulting in rlb_arp_recv() dereferencing a freed rx_hashtbl entry. KASAN identifies this as a null-ptr-deref at offset 0xe8-0xef, consistent with accessing a freed bonding slave structure member. The CWE is not formally assigned in the NVD record, but the vulnerability is a textbook CWE-416 (Use After Free) with a secondary manifestation as CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization). The fix adds synchronize_net() after nulling recv_probe to ensure RCU-like completion of all in-flight RX handlers before the hash table is freed.

RemediationAI

The primary remediation is to upgrade to a patched kernel: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0, depending on your stable branch. Upstream fix commits for each branch are available at git.kernel.org/stable/c/c65cdf46ce340c9c00fbbaf84599d2daff43626e (6.6), fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c (6.1), fef13c403be3fb685cb06419e6b3623106aab5ba (6.12), db5435b5342e3aaa4521d0f3ccfe94316b253ca1 (6.18), d31065526f160ee0244a719230aa069daca2bf4d (5.10), de7c097800f07f3c108185c7a38b53a530ba30ff (5.15), e6834a4c474697df23ab9948fd3577b26bf48656 (6.19), and f94a0de7b9f32745a14a1621c63087a092823587 (7.0). If immediate patching is not possible, switch the bonding configuration from ALB mode (mode=6 / mode=balance-alb) to a mode that does not use the RLB ARP interception path, such as LACP/802.3ad (mode=4); this avoids the vulnerable rlb_arp_recv() code path entirely but requires corresponding switch-side LACP configuration and may affect traffic distribution behavior. Additionally, restrict CAP_NET_ADMIN to only trusted administrators on multi-user systems (e.g., via user namespaces policy or removing net_admin from unprivileged containers) to reduce the attack surface, though this is a hardening measure rather than a fix. Canonical and other distribution vendors should be expected to backport these fixes to their supported kernel packages.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy