Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Triggering requires an admin-created non-default XDP-on-down-bond state (PR:H, AC:H) and is reached via adjacent network traffic on the XDP interface (AV:A); impact is kernel-panic DoS only (A:H, C/I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via xdp_master_redirect(). Full decoded trace:
https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73
bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU counter that bonding only allocates in bond_open() when the mode is round-robin. If the bond device was never brought up, rr_tx_counter stays NULL.
The XDP redirect path can still reach that code on a bond that was never opened: bpf_master_redirect_enabled_key is a global static key, so as soon as any bond device has native XDP attached, the XDP_TX -> xdp_master_redirect() interception is enabled for every slave system-wide. The path xdp_master_redirect() -> bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() -> bond_rr_gen_slave_id() then runs against a bond that has no rr_tx_counter and crashes.
Fix this in the generic xdp_master_redirect() by refusing to call into the master's ->ndo_xdp_get_xmit_slave() when the master device is not up. IFF_UP is only set after ->ndo_open() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDP_ABORTED so the exception is visible via trace_xdp_exception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndo_open() is protected.
AnalysisAI
Denial of service in the Linux kernel network/BPF subsystem allows a NULL-pointer dereference and kernel panic via xdp_master_redirect() when XDP frames are redirected through a bonding master that was never brought up. Because bpf_master_redirect_enabled_key is a global static key, attaching native XDP to any bond device system-wide enables the XDP_TX→xdp_master_redirect() interception for every slave, letting traffic reach bond_rr_gen_slave_id() against a round-robin bond whose per-CPU rr_tx_counter is still NULL (allocated only in bond_open()). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a very specific deployment state: a Linux bonding (bond) master device configured in round-robin transmit mode (the mode using the per-CPU rr_tx_counter), with native XDP attached to at least one bond device on the host (which globally enables the bpf_master_redirect_enabled_key static key and thus the XDP_TX→xdp_master_redirect() interception for every slave), AND the bond master left in the administratively-DOWN state (never successfully brought up via ndo_open, so rr_tx_counter was never allocated and remains NULL). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host where an administrator has attached a native XDP program to a bond interface but the round-robin bond was never brought up, an attacker (or even normal traffic) sends packets that the XDP program returns as XDP_TX; xdp_master_redirect() then dispatches into the master's round-robin slave selector, which dereferences the NULL rr_tx_counter and panics the kernel, taking the host offline. No public exploit code exists; the crash was reproduced by the syzkaller fuzzer, indicating it is reachable but tied to this specific misconfiguration rather than a turnkey weapon. |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10/7.1 (or any later release on your branch) - using the corresponding kernel.org stable commits listed in the advisory (https://git.kernel.org/stable/c/3128b294b426533c8d9162187446d93a8a160359 and the other six stable commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running native XDP programs on bonded network interfaces; document current XDP configurations and kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38937
GHSA-cc9g-3x8w-qfw5