CVE-2026-23310

MEDIUM EPSS 2.4%
Published Mar 25, 20263mo ago · Modified Jun 19, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 25, 2026 3mo ago
Last Modified Jun 19, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This means a user can: 1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode with a compatible xmit_hash_policy (e.g. layer2+3). 2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded. This leaves bond->xdp_prog set but bond_xdp_check() now returning false for the same device. When the bond is later destroyed, dev_xdp_uninstall() calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering: WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL)) Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode. commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP") introduced bond_xdp_check() which returns false for 802.3ad/balance-xor modes when xmit_hash_policy is vlan+srcmac. The check was wired into bond_xdp_set() to reject XDP attachment with an incompatible policy, but the symmetric path -- preventing xmit_hash_policy from being changed to an incompatible value after XDP is already loaded -- was left unguarded in bond_option_xmit_hash_policy_set(). Note: commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode") later added a similar guard to bond_option_mode_set(), but bond_option_xmit_hash_policy_set() remained unprotected.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥5.15  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.77
linuxlinux_kernel*≥6.13  –  <6.18.17
linuxlinux_kernel*≥6.19  –  <6.19.7
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/0a80e6ecaf669c77260b44254f4a84d76bf83e89
  • git.kernel.org https://git.kernel.org/stable/c/0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/479d589b40b836442bbdadc3fdb37f001bb67f26
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c262bd0e39320a6d6c8277cb8349ce21c01b8c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d36ad7e126c6a0c5f699583309ccc37e3a3263ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e85fa809e507b9d8eff4840888b8c727e4e8448c
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/479d589b40b836442bbdadc3fdb37f001bb67f26
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c262bd0e39320a6d6c8277cb8349ce21c01b8c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d36ad7e126c6a0c5f699583309ccc37e3a3263ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e85fa809e507b9d8eff4840888b8c727e4e8448c
    Patch