Skip to main content

Linux EUVDEUVD-2026-15252

| CVE-2026-23310 MEDIUM
2026-03-25 Linux GHSA-wj2w-7vcf-m7fj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 28, 2026 - 14:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15252
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded

bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard.

For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This means a user can:

  1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode

with a compatible xmit_hash_policy (e.g. layer2+3).

  1. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.

This leaves bond->xdp_prog set but bond_xdp_check() now returning false for the same device. When the bond is later destroyed, dev_xdp_uninstall() calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:

WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))

Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode.

commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP") introduced bond_xdp_check() which returns false for 802.3ad/balance-xor modes when xmit_hash_policy is vlan+srcmac. The check was wired into bond_xdp_set() to reject XDP attachment with an incompatible policy, but the symmetric path -- preventing xmit_hash_policy from being changed to an incompatible value after XDP is already loaded -- was left unguarded in bond_option_xmit_hash_policy_set().

Note: commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode") later added a similar guard to bond_option_mode_set(), but bond_option_xmit_hash_policy_set() remained unprotected.

AnalysisAI

A logic error in the Linux kernel's bonding driver allows an unprivileged user to change the xmit_hash_policy parameter to an incompatible value (vlan+srcmac) while an XDP program is loaded, creating an inconsistent state where the kernel cannot safely unload the XDP program during device shutdown. This triggers a kernel warning and potential instability when the bond interface is destroyed. The vulnerability affects Linux kernel versions across multiple stable branches and requires local access to trigger.

Technical ContextAI

The vulnerability exists in the Linux kernel's bonding subsystem, specifically in the interaction between XDP (eXpress Data Path) program attachment and bond configuration changes. The bonding driver maintains compatibility checks via bond_xdp_check() which validates that the current xmit_hash_policy is compatible with loaded XDP programs. For 802.3ad (LACP) and balance-xor bonding modes, the vlan+srcmac hashing policy is incompatible with XDP because hardware offloading typically strips 802.1q VLAN headers before XDP processes packets. The CVE-2026-23310 vulnerability stems from an asymmetric protection: bond_option_mode_set() validates XDP compatibility when mode changes occur (via commit 094ee6017ea0), but bond_option_xmit_hash_policy_set() lacks equivalent guards when policy changes occur post-XDP-attachment. This creates a window where bond->xdp_prog remains set while bond_xdp_check() returns false, causing dev_xdp_uninstall() to fail during device cleanup and trigger WARN_ON() in the kernel log. The CWE classification involves missing input validation (CWE-20) and improper state management around XDP lifecycle. Affected products are identified via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across multiple kernel versions.

RemediationAI

Update the Linux kernel to a patched version that includes one of the five fixes referenced in the stable kernel repository (commits 5c262bd0e39320a6d6c8277cb8349ce21c01b8c1 or later). Most distributions have backported this fix into their stable kernel updates; check your distribution's security advisory for specific kernel versions (e.g., RHEL, Debian, Ubuntu stable releases). Until patching is possible, administratively restrict access to bond configuration changes by limiting privileges of users who can modify /sys/class/net/bond*/bonding/xmit_hash_policy or through SELinux/AppArmor policies. Avoid running XDP programs on bonded interfaces in 802.3ad or balance-xor modes in production environments, or use alternative hashing policies (layer2, layer3, layer2+3, etc.) that are compatible with XDP. Kernel maintainers have mitigated the issue by adding validation in bond_option_xmit_hash_policy_set() to reject vlan+srcmac policy changes when XDP is loaded, similar to the existing guard in bond_option_mode_set().

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy