{"api_version":"1","generated_at":"2026-05-13T07:41:51+00:00","cve":"CVE-2026-43234","urls":{"html":"https://cve.report/CVE-2026-43234","api":"https://cve.report/api/cve/CVE-2026-43234.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43234","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43234"},"summary":{"title":"team: avoid NETDEV_CHANGEMTU event when unregistering slave","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\n\nsyzbot is reporting\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\n  ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_hold include/linux/netdevice.h:4429 [inline]\n       inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\n       inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\n       netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\n       netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\n       dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\n       team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\n       team_del_slave drivers/net/team/team_core.c:1936 [inline]\n       team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\n       call_netdevice_notifiers net/core/dev.c:2295 [inline]\n       __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\n       do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\n       rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n       __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n       rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\n       rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n       netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n\nproblem. Ido Schimmel found steps to reproduce\n\n  ip link add name team1 type team\n  ip link add name dummy1 mtu 1499 master team1 type dummy\n  ip netns add ns1\n  ip link set dev dummy1 netns ns1\n  ip -n ns1 link del dev dummy1\n\nand also found that the same issue was fixed in the bond driver in\ncommit f51048c3e07b (\"bonding: avoid NETDEV_CHANGEMTU event when\nunregistering slave\").\n\nLet's do similar thing for the team driver, with commit ad7c7b2172c3 (\"net:\nhold netdev instance lock during sysfs operations\") and commit 303a8487a657\n(\"net: s/__dev_set_mtu/__netif_set_mtu/\") also applied.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:43","updated_at":"2026-05-12 19:02:56"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7","name":"https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32","name":"https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08","name":"https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43234","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43234","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 bce42728ac4887060a24a585c5122fbd24939db7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 5268892de70f0b29bde341db863b234aa9259c08 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 bb4c698633c0e19717586a6524a33196cff01a32 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.3","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.3 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"43234","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/team/team_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"bce42728ac4887060a24a585c5122fbd24939db7","status":"affected","version":"3d249d4ca7d0ed6629a135ea1ea21c72286c0d80","versionType":"git"},{"lessThan":"5268892de70f0b29bde341db863b234aa9259c08","status":"affected","version":"3d249d4ca7d0ed6629a135ea1ea21c72286c0d80","versionType":"git"},{"lessThan":"bb4c698633c0e19717586a6524a33196cff01a32","status":"affected","version":"3d249d4ca7d0ed6629a135ea1ea21c72286c0d80","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/team/team_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.3"},{"lessThan":"3.3","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","versionStartIncluding":"3.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","versionStartIncluding":"3.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"3.3","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\n\nsyzbot is reporting\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\n  ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_hold include/linux/netdevice.h:4429 [inline]\n       inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\n       inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\n       netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\n       netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\n       dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\n       team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\n       team_del_slave drivers/net/team/team_core.c:1936 [inline]\n       team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\n       call_netdevice_notifiers net/core/dev.c:2295 [inline]\n       __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\n       do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\n       rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n       __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n       rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\n       rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n       netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n\nproblem. Ido Schimmel found steps to reproduce\n\n  ip link add name team1 type team\n  ip link add name dummy1 mtu 1499 master team1 type dummy\n  ip netns add ns1\n  ip link set dev dummy1 netns ns1\n  ip -n ns1 link del dev dummy1\n\nand also found that the same issue was fixed in the bond driver in\ncommit f51048c3e07b (\"bonding: avoid NETDEV_CHANGEMTU event when\nunregistering slave\").\n\nLet's do similar thing for the team driver, with commit ad7c7b2172c3 (\"net:\nhold netdev instance lock during sysfs operations\") and commit 303a8487a657\n(\"net: s/__dev_set_mtu/__netif_set_mtu/\") also applied."}],"providerMetadata":{"dateUpdated":"2026-05-11T22:20:35.930Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7"},{"url":"https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08"},{"url":"https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32"}],"title":"team: avoid NETDEV_CHANGEMTU event when unregistering slave","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43234","datePublished":"2026-05-06T11:28:30.212Z","dateReserved":"2026-05-01T14:12:55.995Z","dateUpdated":"2026-05-11T22:20:35.930Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:43","lastModifiedDate":"2026-05-12 19:02:56","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.18.16","matchCriteriaId":"7B3BAE31-1743-4215-A8D9-E51668D5BEDE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43234","Ordinal":"1","Title":"team: avoid NETDEV_CHANGEMTU event when unregistering slave","CVE":"CVE-2026-43234","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43234","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\n\nsyzbot is reporting\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\n  ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_hold include/linux/netdevice.h:4429 [inline]\n       inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\n       inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\n       netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\n       netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\n       dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\n       team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\n       team_del_slave drivers/net/team/team_core.c:1936 [inline]\n       team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\n       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n       call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\n       call_netdevice_notifiers net/core/dev.c:2295 [inline]\n       __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\n       do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\n       rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n       __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n       rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\n       rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n       netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n\nproblem. Ido Schimmel found steps to reproduce\n\n  ip link add name team1 type team\n  ip link add name dummy1 mtu 1499 master team1 type dummy\n  ip netns add ns1\n  ip link set dev dummy1 netns ns1\n  ip -n ns1 link del dev dummy1\n\nand also found that the same issue was fixed in the bond driver in\ncommit f51048c3e07b (\"bonding: avoid NETDEV_CHANGEMTU event when\nunregistering slave\").\n\nLet's do similar thing for the team driver, with commit ad7c7b2172c3 (\"net:\nhold netdev instance lock during sysfs operations\") and commit 303a8487a657\n(\"net: s/__dev_set_mtu/__netif_set_mtu/\") also applied.","Type":"Description","Title":"team: avoid NETDEV_CHANGEMTU event when unregistering slave"}]}}}