7.5

CVE-2026-53069

net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

In the Linux kernel, the following vulnerability has been resolved:

net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via
xdp_master_redirect(). Full decoded trace:

  https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73

bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU
counter that bonding only allocates in bond_open() when the mode is
round-robin. If the bond device was never brought up, rr_tx_counter
stays NULL.

The XDP redirect path can still reach that code on a bond that was
never opened: bpf_master_redirect_enabled_key is a global static key,
so as soon as any bond device has native XDP attached, the
XDP_TX -> xdp_master_redirect() interception is enabled for every
slave system-wide. The path xdp_master_redirect() ->
bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() ->
bond_rr_gen_slave_id() then runs against a bond that has no
rr_tx_counter and crashes.

Fix this in the generic xdp_master_redirect() by refusing to call into
the master's ->ndo_xdp_get_xmit_slave() when the master device is not
up. IFF_UP is only set after ->ndo_open() has successfully returned,
so this reliably excludes masters whose XDP state has not been fully
initialized. Drop the frame with XDP_ABORTED so the exception is
visible via trace_xdp_exception() rather than silently falling through.
This is not specific to bonding: any current or future master that
defers XDP state allocation to ->ndo_open() is protected.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < 3128b294b426533c8d9162187446d93a8a160359
Status affected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < acbf45bd584d924b320bee2a7fe2a26f64904d95
Status affected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < 866d3d9b87751b1944168fd82615505e0c0fd6cf
Status affected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < 183128da0406b1c10e6f60b7b9fe70788b9c8c1d
Status affected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < 7bad93e99737e4a5c0c14ac50c05152cf4e28022
Status affected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < ea690b3b6e58ae00979af8195b4cc24df466b65e
Status affected
Version 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Version < 1921f91298d1388a0bb9db8f83800c998b649cb3
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.15
Status affected
Version 0
Version < 5.15
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.39% 0.303
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/3128b294b426533c8d9162187446d93a8a160359
https://git.kernel.org/stable/c/acbf45bd584d924b320bee2a7fe2a26f64904d95
https://git.kernel.org/stable/c/866d3d9b87751b1944168fd82615505e0c0fd6cf
https://git.kernel.org/stable/c/183128da0406b1c10e6f60b7b9fe70788b9c8c1d
https://git.kernel.org/stable/c/7bad93e99737e4a5c0c14ac50c05152cf4e28022
https://git.kernel.org/stable/c/ea690b3b6e58ae00979af8195b4cc24df466b65e
https://git.kernel.org/stable/c/1921f91298d1388a0bb9db8f83800c998b649cb3