CVE-2026-45970

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: alb: fix UAF in rlb_arp_recv during bond up/down<br /> <br /> The ALB RX path may access rx_hashtbl concurrently with bond<br /> teardown. During rapid bond up/down cycles, rlb_deinitialize()<br /> frees rx_hashtbl while RX handlers are still running, leading<br /> to a null pointer dereference detected by KASAN.<br /> <br /> However, the root cause is that rlb_arp_recv() can still be accessed<br /> after setting recv_probe to NULL, which is actually a use-after-free<br /> (UAF) issue. That is the reason for using the referenced commit in the<br /> Fixes tag.<br /> <br /> [ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI<br /> [ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]<br /> [ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)<br /> [ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022<br /> [ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]<br /> [ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 b6<br /> 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00<br /> [ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206<br /> [ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e<br /> [ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8<br /> [ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8<br /> [ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119<br /> [ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810<br /> [ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000<br /> [ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0<br /> [ 214.310347] Call Trace:<br /> [ 214.313070] <br /> [ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding]<br /> [ 214.320975] bond_handle_frame+0x166/0xb60 [bonding]<br /> [ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding]<br /> [ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710<br /> [ 214.339199] ? __pfx_arp_process+0x10/0x10<br /> [ 214.343775] ? sched_balance_find_src_group+0x98/0x630<br /> [ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10<br /> [ 214.356513] ? arp_rcv+0x307/0x690<br /> [ 214.360311] ? __pfx_arp_rcv+0x10/0x10<br /> [ 214.364499] ? __lock_acquire+0x58c/0xbd0<br /> [ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0<br /> [ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10<br /> [ 214.380743] ? lock_acquire+0x10b/0x140<br /> [ 214.385026] process_backlog+0x3f1/0x13a0<br /> [ 214.389502] ? process_backlog+0x3aa/0x13a0<br /> [ 214.394174] __napi_poll.constprop.0+0x9f/0x370<br /> [ 214.399233] net_rx_action+0x8c1/0xe60<br /> [ 214.403423] ? __pfx_net_rx_action+0x10/0x10<br /> [ 214.408193] ? lock_acquire.part.0+0xbd/0x260<br /> [ 214.413058] ? sched_clock_cpu+0x6c/0x540<br /> [ 214.417540] ? mark_held_locks+0x40/0x70<br /> [ 214.421920] handle_softirqs+0x1fd/0x860<br /> [ 214.426302] ? __pfx_handle_softirqs+0x10/0x10<br /> [ 214.431264] ? __neigh_event_send+0x2d6/0xf50<br /> [ 214.436131] do_softirq+0xb1/0xf0<br /> [ 214.439830] <br /> <br /> The issue is reproducible by repeatedly running<br /> ip link set bond0 up/down while receiving ARP messages, where<br /> rlb_arp_recv() can race with rlb_deinitialize() and dereference<br /> a freed rx_hashtbl entry.<br /> <br /> Fix this by setting recv_probe to NULL and then calling<br /> synchronize_net() to wait for any concurrent RX processing to finish.<br /> This ensures that no RX handler can access rx_hashtbl after it is freed<br /> in bond_alb_deinitialize().

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.0 (including) 5.10.252 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.202 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.165 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.128 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)