CVE-2026-31419

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bonding: fix use-after-free in bond_xmit_broadcast()<br /> <br /> bond_xmit_broadcast() reuses the original skb for the last slave<br /> (determined by bond_is_last_slave()) and clones it for others.<br /> Concurrent slave enslave/release can mutate the slave list during<br /> RCU-protected iteration, changing which slave is "last" mid-loop.<br /> This causes the original skb to be double-consumed (double-freed).<br /> <br /> Replace the racy bond_is_last_slave() check with a simple index<br /> comparison (i + 1 == slaves_count) against the pre-snapshot slave<br /> count taken via READ_ONCE() before the loop. This preserves the<br /> zero-copy optimization for the last slave while making the "last"<br /> determination stable against concurrent list mutations.<br /> <br /> The UAF can trigger the following crash:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in skb_clone<br /> Read of size 8 at addr ffff888100ef8d40 by task exploit/147<br /> <br /> CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:123)<br /> print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br /> kasan_report (mm/kasan/report.c:597)<br /> skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)<br /> dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)<br /> __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)<br /> ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)<br /> ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)<br /> ip6_output (net/ipv6/ip6_output.c:250)<br /> ip6_send_skb (net/ipv6/ip6_output.c:1985)<br /> udp_v6_send_skb (net/ipv6/udp.c:1442)<br /> udpv6_sendmsg (net/ipv6/udp.c:1733)<br /> __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)<br /> __x64_sys_sendto (net/socket.c:2209)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> <br /> <br /> Allocated by task 147:<br /> <br /> Freed by task 147:<br /> <br /> The buggy address belongs to the object at ffff888100ef8c80<br /> which belongs to the cache skbuff_head_cache of size 224<br /> The buggy address is located 192 bytes inside of<br /> freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)<br /> <br /> Memory state around the buggy address:<br /> ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ^<br /> ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb<br /> ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================