Skip to main content

Linux Kernel EUVDEUVD-2026-38937

| CVE-2026-53069 HIGH
2026-06-24 Linux GHSA-cc9g-3x8w-qfw5
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.2 MEDIUM

Triggering requires an admin-created non-default XDP-on-down-bond state (PR:H, AC:H) and is reached via adjacent network traffic on the XDP interface (AV:A); impact is kernel-panic DoS only (A:H, C/I:N).

3.1 AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:02 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via xdp_master_redirect(). Full decoded trace:

https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73

bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU counter that bonding only allocates in bond_open() when the mode is round-robin. If the bond device was never brought up, rr_tx_counter stays NULL.

The XDP redirect path can still reach that code on a bond that was never opened: bpf_master_redirect_enabled_key is a global static key, so as soon as any bond device has native XDP attached, the XDP_TX -> xdp_master_redirect() interception is enabled for every slave system-wide. The path xdp_master_redirect() -> bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() -> bond_rr_gen_slave_id() then runs against a bond that has no rr_tx_counter and crashes.

Fix this in the generic xdp_master_redirect() by refusing to call into the master's ->ndo_xdp_get_xmit_slave() when the master device is not up. IFF_UP is only set after ->ndo_open() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDP_ABORTED so the exception is visible via trace_xdp_exception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndo_open() is protected.

AnalysisAI

Denial of service in the Linux kernel network/BPF subsystem allows a NULL-pointer dereference and kernel panic via xdp_master_redirect() when XDP frames are redirected through a bonding master that was never brought up. Because bpf_master_redirect_enabled_key is a global static key, attaching native XDP to any bond device system-wide enables the XDP_TX→xdp_master_redirect() interception for every slave, letting traffic reach bond_rr_gen_slave_id() against a round-robin bond whose per-CPU rr_tx_counter is still NULL (allocated only in bond_open()). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Admin attaches native XDP to bond, master left down
Delivery
Attacker sends packets to XDP-enabled slave
Exploit
XDP program returns XDP_TX
Execution
xdp_master_redirect routes to round-robin master
Persist
bond_rr_gen_slave_id dereferences NULL rr_tx_counter
Impact
Kernel panic, host denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires a very specific deployment state: a Linux bonding (bond) master device configured in round-robin transmit mode (the mode using the per-CPU rr_tx_counter), with native XDP attached to at least one bond device on the host (which globally enables the bpf_master_redirect_enabled_key static key and thus the XDP_TX→xdp_master_redirect() interception for every slave), AND the bond master left in the administratively-DOWN state (never successfully brought up via ndo_open, so rr_tx_counter was never allocated and remains NULL). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host where an administrator has attached a native XDP program to a bond interface but the round-robin bond was never brought up, an attacker (or even normal traffic) sends packets that the XDP program returns as XDP_TX; xdp_master_redirect() then dispatches into the master's round-robin slave selector, which dereferences the NULL rr_tx_counter and panics the kernel, taking the host offline. No public exploit code exists; the crash was reproduced by the syzkaller fuzzer, indicating it is reachable but tied to this specific misconfiguration rather than a turnkey weapon.
Remediation Vendor-released patch: update to a fixed stable kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10/7.1 (or any later release on your branch) - using the corresponding kernel.org stable commits listed in the advisory (https://git.kernel.org/stable/c/3128b294b426533c8d9162187446d93a8a160359 and the other six stable commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running native XDP programs on bonded network interfaces; document current XDP configurations and kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy