HIGH
bonding HeaderParse Loop
CVE-2026-23451
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse() bond_header_parse() can loop if a stack of two bonding devices is setup, because skb->dev always points to the hierarchy top. Add new "const struct net_device *dev" parameter to (struct header_ops)->parse() method to make sure the recursion is bounded, and that the final leaf parse method is called.
02KernelScan AI Analysis
Risk summary
Systems using stacked bonding devices are vulnerable to kernel denial of service through infinite loops in header parsing. The vulnerability requires local access with network configuration privileges to create the problematic bonding stack configuration.
Vulnerability analysis
The vulnerability occurs in bond_header_parse() when two bonding devices are stacked. The function recursively calls itself because skb->dev always points to the top-level device in the hierarchy, creating an unbounded recursion that leads to stack exhaustion and kernel panic. The fix adds an explicit device parameter to the header_ops->parse() method signature, ensuring that each recursive call operates on the correct device in the stack and preventing infinite loops by making recursion bounded to the actual device hierarchy depth.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.20 | 946bb6cacf0c |
| 6.19 | 6.19.10 | 4172a7901cf4 |