net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53069
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:20 UTC
Updated2026-06-24 17:17:20 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via xdp_master_redirect(). Full decoded trace: https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73 bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU counter that bonding only allocates in bond_open() when the mode is round-robin. If the bond device was never brought up, rr_tx_counter stays NULL. The XDP redirect path can still reach that code on a bond that was never opened: bpf_master_redirect_enabled_key is a global static key, so as soon as any bond device has native XDP attached, the XDP_TX -> xdp_master_redirect() interception is enabled for every slave system-wide. The path xdp_master_redirect() -> bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() -> bond_rr_gen_slave_id() then runs against a bond that has no rr_tx_counter and crashes. Fix this in the generic xdp_master_redirect() by refusing to call into the master's ->ndo_xdp_get_xmit_slave() when the master device is not up. IFF_UP is only set after ->ndo_open() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDP_ABORTED so the exception is visible via trace_xdp_exception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndo_open() is protected.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 3128b294b426533c8d9162187446d93a8a160359 git Not specified
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 acbf45bd584d924b320bee2a7fe2a26f64904d95 git Not specified
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 866d3d9b87751b1944168fd82615505e0c0fd6cf git Not specified
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 183128da0406b1c10e6f60b7b9fe70788b9c8c1d git Not specified
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 7bad93e99737e4a5c0c14ac50c05152cf4e28022 git Not specified
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 ea690b3b6e58ae00979af8195b4cc24df466b65e git Not specified
CNA Linux Linux affected 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 1921f91298d1388a0bb9db8f83800c998b649cb3 git Not specified
CNA Linux Linux affected 5.15 Not specified
CNA Linux Linux unaffected 5.15 semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.141 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.91 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/866d3d9b87751b1944168fd82615505e0c0fd6cf 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ea690b3b6e58ae00979af8195b4cc24df466b65e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1921f91298d1388a0bb9db8f83800c998b649cb3 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/183128da0406b1c10e6f60b7b9fe70788b9c8c1d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3128b294b426533c8d9162187446d93a8a160359 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/acbf45bd584d924b320bee2a7fe2a26f64904d95 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7bad93e99737e4a5c0c14ac50c05152cf4e28022 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report