{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: fix type confusion in bond_setup_by_slave()\\n\\nkernel BUG at net\/core\/skbuff.c:2306!\\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\\nRIP: 0010:pskb_expand_head+0xa08\/0xfe0 net\/core\/skbuff.c:2306\\nRSP: 0018:ffffc90004aff760 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e\\nRDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900\\nRBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000\\nR10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780\\nR13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0\\nCall Trace:\\n \\u003cTASK\\u003e\\n ipgre_header+0xdd\/0x540 net\/ipv4\/ip_gre.c:900\\n dev_hard_header include\/linux\/netdevice.h:3439 [inline]\\n packet_snd net\/packet\/af_packet.c:3028 [inline]\\n packet_sendmsg+0x3ae5\/0x53c0 net\/packet\/af_packet.c:3108\\n sock_sendmsg_nosec net\/socket.c:727 [inline]\\n __sock_sendmsg net\/socket.c:742 [inline]\\n ____sys_sendmsg+0xa54\/0xc30 net\/socket.c:2592\\n ___sys_sendmsg+0x190\/0x1e0 net\/socket.c:2646\\n __sys_sendmsg+0x170\/0x220 net\/socket.c:2678\\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\\n do_syscall_64+0x106\/0xf80 arch\/x86\/entry\/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f\\nRIP: 0033:0x7fe1a0e6c1a9\\n\\nWhen a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,\\nbond_setup_by_slave() directly copies the slave’s header_ops to the\\nbond device:\\n\\n bond_dev-\\u003eheader_ops = slave_dev-\\u003eheader_ops;\\n\\nThis causes a type confusion when dev_hard_header() is later called\\non the bond device. Functions like ipgre_header(), ip6gre_header(),all use\\nnetdev_priv(dev) to access their device-specific private data. When\\ncalled with the bond device, netdev_priv() returns the bond’s private\\ndata (struct bonding) instead of the expected type (e.g. struct\\nip_tunnel), leading to garbage values being read and kernel crashes.\\n\\nFix this by introducing bond_header_ops with wrapper functions that\\ndelegate to the active slave’s header_ops using the slave’s own\\ndevice. This ensures netdev_priv() in the slave’s header functions\\nalways receives the correct device.\\n\\nThe fix is placed in the bonding driver rather than individual device\\ndrivers, as the root cause is bond blindly inheriting header_ops from\\nthe slave without considering that these callbacks expect a specific\\nnetdev_priv() layout.\\n\\nThe type confusion can be observed by adding a printk in\\nipgre_header() and running the following commands:\\n\\n ip link add dummy0 type dummy\\n ip addr add 10.0.0.1\/24 dev dummy0\\n ip link set dummy0 up\\n ip link add gre1 type gre local 10.0.0.1\\n ip link add bond1 type bond mode active-backup\\n ip link set gre1 master bond1\\n ip link set gre1 up\\n ip link set bond1 up\\n ip addr add fe80::1\/64 dev bond1″,”published”:”2026-05-08T14:22:20.036Z”,”modified”:”2026-05-11T06:34:42.762Z”,”type”:”cve”,”title”:”bonding: fix type confusion in bond_setup_by_slave()”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d\\nhttps:\/\/git.kernel.org\/stable\/c\/6ac890f1d60ac3707ee8dae15a67d9a833e49956\\nhttps:\/\/git.kernel.org\/stable\/c\/95597d11dc8bddb2b9a051c9232000bfbb5e43ba\\nhttps:\/\/git.kernel.org\/stable\/c\/950803f7254721c1c15858fbbfae3deaaeeecb11″,”id”:”CVE-2026-43456″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187\\nLinux Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187\\nLinux Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187\\nLinux Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187\\nLinux Linux 2.6.24″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”1284cd3a2b740d0118458d2ea470a1e5bc19b187″,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: fix type confusion in bond_setup_by_slave()\\n\\nkernel BUG at net\/core\/skbuff.c:2306!\\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\\nRIP:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-52917","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n