CVE-2026-43234

EUVD-2026-27793

06.05.2026, 12:16

In the Linux kernel, the following vulnerability has been resolved:

team: avoid NETDEV_CHANGEMTU event when unregistering slave

syzbot is reporting

  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3
  ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at
       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]
       netdev_hold include/linux/netdevice.h:4429 [inline]
       inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286
       inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600
       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
       call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]
       netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886
       netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907
       dev_set_mtu+0x126/0x260 net/core/dev_api.c:248
       team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333
       team_del_slave drivers/net/team/team_core.c:1936 [inline]
       team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929
       notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
       call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]
       call_netdevice_notifiers net/core/dev.c:2295 [inline]
       __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592
       do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060
       rtnl_changelink net/core/rtnetlink.c:3776 [inline]
       __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
       rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072
       rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
       netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
       netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
       netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894

problem. Ido Schimmel found steps to reproduce

  ip link add name team1 type team
  ip link add name dummy1 mtu 1499 master team1 type dummy
  ip netns add ns1
  ip link set dev dummy1 netns ns1
  ip -n ns1 link del dev dummy1

and also found that the same issue was fixed in the bond driver in
commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when
unregistering slave").

Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net:
hold netdev instance lock during sysfs operations") and commit 303a8487a657
("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.3 ≤ 𝑥 < 6.18.16
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.6
linux	linux_kernel	7.0:rc1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

dlm-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

gfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 12 SP5	4.12.14-122.317.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1.150700.17.35.4 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1.150700.17.35.4 fixed
suse enterprise server 12 SP5	4.12.14-122.317.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1.150700.17.35.4 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.2 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 12 SP5	4.12.14-122.317.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

Amazon Linux Releases

Amazon Package

Release

bpftool6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel-livepatch-6.18.16-18.222

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf-devel

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf-static

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht spezifizierte Angriffe durchzuführen, möglicherweise Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-06T22:00:00+00:00

References

https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08

https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32

https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7