-
CVE-2026-23310
- EPSS 0.03%
- Veröffentlicht 25.03.2026 10:27:05
- Zuletzt bearbeitet 25.03.2026 15:41:33
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
In the Linux kernel, the following vulnerability has been resolved:
bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
bond_option_mode_set() already rejects mode changes that would make a
loaded XDP program incompatible via bond_xdp_check(). However,
bond_option_xmit_hash_policy_set() has no such guard.
For 802.3ad and balance-xor modes, bond_xdp_check() returns false when
xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually
absent due to hardware offload. This means a user can:
1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode
with a compatible xmit_hash_policy (e.g. layer2+3).
2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.
This leaves bond->xdp_prog set but bond_xdp_check() now returning false
for the same device. When the bond is later destroyed, dev_xdp_uninstall()
calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits
the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:
WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))
Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an
XDP program is loaded on a bond in 802.3ad or balance-xor mode.
commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")
introduced bond_xdp_check() which returns false for 802.3ad/balance-xor
modes when xmit_hash_policy is vlan+srcmac. The check was wired into
bond_xdp_set() to reject XDP attachment with an incompatible policy, but
the symmetric path -- preventing xmit_hash_policy from being changed to an
incompatible value after XDP is already loaded -- was left unguarded in
bond_option_xmit_hash_policy_set().
Note:
commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")
later added a similar guard to bond_option_mode_set(), but
bond_option_xmit_hash_policy_set() remained unprotected.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
39a0876d595bd7c7512782dfcce0ee66f65bf221
Version <
5c262bd0e39320a6d6c8277cb8349ce21c01b8c1
Status
affected
Version
39a0876d595bd7c7512782dfcce0ee66f65bf221
Version <
d36ad7e126c6a0c5f699583309ccc37e3a3263ea
Status
affected
Version
39a0876d595bd7c7512782dfcce0ee66f65bf221
Version <
0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e
Status
affected
Version
39a0876d595bd7c7512782dfcce0ee66f65bf221
Version <
e85fa809e507b9d8eff4840888b8c727e4e8448c
Status
affected
Version
39a0876d595bd7c7512782dfcce0ee66f65bf221
Version <
479d589b40b836442bbdadc3fdb37f001bb67f26
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
5.15
Status
affected
Version
0
Version <
5.15
Status
unaffected
Version <=
6.6.*
Version
6.6.130
Status
unaffected
Version <=
6.12.*
Version
6.12.77
Status
unaffected
Version <=
6.18.*
Version
6.18.17
Status
unaffected
Version <=
6.19.*
Version
6.19.7
Status
unaffected
Version <=
*
Version
7.0
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.072 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|