{ "threat_severity" : "Important", "public_date" : "2026-04-13T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service", "id" : "2457829", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457829" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop. This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\nThe UAF can trigger the following crash:\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:597)\nskb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\nbond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\nbond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\ndev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n__dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\nip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\nip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\nip6_output (net/ipv6/ip6_output.c:250)\nip6_send_skb (net/ipv6/ip6_output.c:1985)\nudp_v6_send_skb (net/ipv6/udp.c:1442)\nudpv6_sendmsg (net/ipv6/udp.c:1733)\n__sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAllocated by task 147:\nFreed by task 147:\nThe buggy address belongs to the object at ffff888100ef8c80\nwhich belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\nfreed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\nMemory state around the buggy address:\nffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\nffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n^\nffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\nffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================", "A flaw was found in the Linux kernel's bonding driver. A local attacker with low privileges could exploit a use-after-free vulnerability in the `bond_xmit_broadcast()` function. This occurs due to a race condition during concurrent slave enslave/release operations, which can lead to the original socket buffer (skb) being double-freed. Successful exploitation of this flaw can result in a system crash, leading to a denial of service." ], "statement" : "This is an Important impact flaw affecting the Linux kernel's bonding driver in Red Hat Enterprise Linux 6, 8.8 and later, 9.2 and later, and 10, as well as Red Hat In-Vehicle OS 2.0. A local attacker with low privileges could trigger a use-after-free vulnerability, leading to a system crash and denial of service. Red Hat Enterprise Linux 7, 8.2, 8.4, 8.6, and 9.0 are not affected as the vulnerable code is not present.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13566", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.55.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31419\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31419\nhttps://lore.kernel.org/linux-cve-announce/2026041353-CVE-2026-31419-e176@gregkh/T" ], "name" : "CVE-2026-31419", "csaw" : false }