CVE-2026-45970
published 2026-05-27CVE-2026-45970: In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
bonding: alb: fix UAF in rlb_arp_recv during bond up/down
The ALB RX path may access rx_hashtbl concurrently with bond
teardown. During rapid bond up/down cycles, rlb_deinitialize()
frees rx_hashtbl while RX handlers are still running, leading
to a null pointer dereference detected by KASAN.
However, the root cause is that rlb_arp_recv() can still be accessed
after setting recv_probe to NULL, which is actually a use-after-free
(UAF) issue. That is the reason for using the referenced commit in the
Fixes tag.
[ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI
[ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
[ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)
[ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022
[ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]
[ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 b6
04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00
[ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206
[ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e
[ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8
[ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8
[ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119
[ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810
[ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000
[ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0
[ 214.310347] Call Trace:
[ 214.313070]
[ 214.31531
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c | fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < de7c097800f07f3c108185c7a38b53a530ba30ff | de7c097800f07f3c108185c7a38b53a530ba30ff |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < db5435b5342e3aaa4521d0f3ccfe94316b253ca1 | db5435b5342e3aaa4521d0f3ccfe94316b253ca1 |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < f94a0de7b9f32745a14a1621c63087a092823587 | f94a0de7b9f32745a14a1621c63087a092823587 |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < c65cdf46ce340c9c00fbbaf84599d2daff43626e | c65cdf46ce340c9c00fbbaf84599d2daff43626e |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < fef13c403be3fb685cb06419e6b3623106aab5ba | fef13c403be3fb685cb06419e6b3623106aab5ba |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < d31065526f160ee0244a719230aa069daca2bf4d | d31065526f160ee0244a719230aa069daca2bf4d |
| linux | linux | >= 3aba891dde3842d89ad022237b99c1ed308040b0 < e6834a4c474697df23ab9948fd3577b26bf48656 | e6834a4c474697df23ab9948fd3577b26bf48656 |
| linux | linux_kernel | — | — |