CVE-2026-31419

EUVD-2026-21943

13.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix use-after-free in bond_xmit_broadcast()

bond_xmit_broadcast() reuses the original skb for the last slave
(determined by bond_is_last_slave()) and clones it for others.
Concurrent slave enslave/release can mutate the slave list during
RCU-protected iteration, changing which slave is "last" mid-loop.
This causes the original skb to be double-consumed (double-freed).

Replace the racy bond_is_last_slave() check with a simple index
comparison (i + 1 == slaves_count) against the pre-snapshot slave
count taken via READ_ONCE() before the loop.  This preserves the
zero-copy optimization for the last slave while making the "last"
determination stable against concurrent list mutations.

The UAF can trigger the following crash:

==================================================================
BUG: KASAN: slab-use-after-free in skb_clone
Read of size 8 at addr ffff888100ef8d40 by task exploit/147

CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY
Call Trace:
 <TASK>
 dump_stack_lvl (lib/dump_stack.c:123)
 print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
 kasan_report (mm/kasan/report.c:597)
 skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)
 bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)
 bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)
 dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)
 __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)
 ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
 ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)
 ip6_output (net/ipv6/ip6_output.c:250)
 ip6_send_skb (net/ipv6/ip6_output.c:1985)
 udp_v6_send_skb (net/ipv6/udp.c:1442)
 udpv6_sendmsg (net/ipv6/udp.c:1733)
 __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)
 __x64_sys_sendto (net/socket.c:2209)
 do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
 </TASK>

Allocated by task 147:

Freed by task 147:

The buggy address belongs to the object at ffff888100ef8c80
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 192 bytes inside of
 freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)

Memory state around the buggy address:
 ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                    ^
 ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
 ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-hwe

bionic	ignored
jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-hwe-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-hwe-5.19

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.2

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.5

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-hwe-6.11

jammy	dne
noble	ignored
questing	dne

linux-hwe-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-hwe-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-hwe-edge

bionic	ignored
jammy	dne
noble	dne
questing	dne
xenial	ignored

linux-lts-xenial

jammy	dne
noble	dne
questing	dne
trusty	needs-triage

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
xenial	needs-triage

linux-allwinner-5.19

jammy	ignored
noble	dne
questing	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.19

jammy	ignored
noble	dne
questing	dne

linux-aws-6.2

jammy	ignored
noble	dne
questing	dne

linux-aws-6.5

jammy	ignored
noble	dne
questing	dne

linux-aws-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-aws-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-aws-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-aws-hwe

jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.19

jammy	ignored
noble	dne
questing	dne

linux-azure-6.2

jammy	ignored
noble	dne
questing	dne

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

linux-azure-6.5

jammy	ignored
noble	dne
questing	dne

linux-azure-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-azure-6.11

jammy	dne
noble	ignored
questing	dne

linux-azure-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-azure-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	needs-triage

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-fde-5.19

jammy	ignored
noble	dne
questing	dne

linux-azure-fde-6.2

jammy	ignored
noble	dne
questing	dne

linux-azure-fde-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-azure-fde-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-azure-fde-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-azure-nvidia

jammy	dne
noble	needs-triage
questing	dne

linux-azure-nvidia-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-edge

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-4.15

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.19

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.2

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.5

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-gcp-6.11

jammy	dne
noble	ignored
questing	dne

linux-gcp-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-gcp-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	dne

linux-gke-4.15

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gke-5.4

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	dne

linux-gkeop-5.4

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne

linux-ibm-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-ibm-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-intel-iotg

jammy	needs-triage
noble	dne
questing	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-intel-iot-realtime

jammy	ignored
noble	dne
questing	dne

linux-lowlatency

jammy	needs-triage
noble	needs-triage
questing	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-lowlatency-hwe-5.19

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.2

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.5

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-lowlatency-hwe-6.11

jammy	dne
noble	ignored
questing	dne

linux-nvidia

jammy	needs-triage
noble	needs-triage
questing	dne

linux-nvidia-6.2

jammy	ignored
noble	dne
questing	dne

linux-nvidia-6.5

jammy	ignored
noble	dne
questing	dne

linux-nvidia-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-nvidia-6.11

jammy	dne
noble	ignored
questing	dne

linux-nvidia-lowlatency

jammy	dne
noble	needs-triage
questing	dne

linux-nvidia-tegra

jammy	needs-triage
noble	needs-triage
questing	dne

linux-nvidia-tegra-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-nvidia-tegra-igx

jammy	needs-triage
noble	dne
questing	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-oracle-6.5

jammy	ignored
noble	dne
questing	dne

linux-oracle-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-oracle-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-oracle-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-oem

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.17

jammy	ignored
noble	dne
questing	dne

linux-oem-6.0

jammy	ignored
noble	dne
questing	dne

linux-oem-6.1

jammy	ignored
noble	dne
questing	dne

linux-oem-6.5

jammy	ignored
noble	dne
questing	dne

linux-oem-6.8

jammy	dne
noble	ignored
questing	dne

linux-oem-6.11

jammy	dne
noble	ignored
questing	dne

linux-oem-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-oem-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage

linux-raspi2

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-raspi-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-raspi-realtime

jammy	dne
noble	ignored
questing	dne

linux-realtime

jammy	ignored
noble	ignored
questing	needs-triage

linux-realtime-6.8

jammy	dne
noble	dne
questing	dne

linux-realtime-6.14

jammy	dne
noble	dne
questing	dne

linux-riscv

focal	ignored
jammy	ignored
noble	ignored
questing	needs-triage

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-riscv-5.19

jammy	ignored
noble	dne
questing	dne

linux-riscv-6.5

jammy	ignored
noble	dne
questing	dne

linux-riscv-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-riscv-6.14

jammy	dne
noble	ignored
questing	dne

linux-riscv-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-starfive-5.19

jammy	ignored
noble	dne
questing	dne

linux-starfive-6.2

jammy	ignored
noble	dne
questing	dne

linux-starfive-6.5

jammy	ignored
noble	dne
questing	dne

linux-xilinx

jammy	dne
noble	needs-triage
questing	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne

linux-realtime-6.17

jammy	dne
noble	dne
questing	dne

References

https://git.kernel.org/stable/c/2884bf72fb8f03409e423397319205de48adca16

https://git.kernel.org/stable/c/d4cc7e4c80b1634c7b1497574a2fdb18df6c026c

https://git.kernel.org/stable/c/f5b94654a4a19891a8108d66ef166de6c028c6cd