CVE-2026-31502

HIGH EPSS 2.9%
Published Apr 22, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash. The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash. Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context. Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-843

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥3.7.1  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel3.7any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/0a7468ed49a6b65d34abcc6eb60e15f7f6d34da0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/20491d384d973a63fbdaf7a71e38d69b0659ea55
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/425000dbf17373a4ab8be9428f5dc055ef870a56
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6d3161fa3eee64d46b766fb0db33ec7f300ef52d
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a7468ed49a6b65d34abcc6eb60e15f7f6d34da0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/20491d384d973a63fbdaf7a71e38d69b0659ea55
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/425000dbf17373a4ab8be9428f5dc055ef870a56
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6d3161fa3eee64d46b766fb0db33ec7f300ef52d
    Patch