CVE-2026-43103
Description
In the Linux kernel, the following vulnerability has been resolved:
net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
lapbeth_data_transmit() expects the underlying device type to be ARPHRD_ETHER.
Returning NOTIFY_BAD from lapbeth_device_event() makes sure bonding driver can not break this expectation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's lapbether module, missing handling of NETDEV_PRE_TYPE_CHANGE allows bonding driver to change device type, causing potential system instability.
Vulnerability
Overview The vulnerability exists in the Linux kernel's net/lapbether module. The function lapbeth_data_transmit() expects the underlying network device to be of type ARPHRD_ETHER. Without proper handling of the NETDEV_PRE_TYPE_CHANGE event, a bonding driver could alter the underlying device's type, breaking this assumption and leading to undefined behavior.
Exploitation
An attacker with the ability to create and manipulate a bonding interface could trigger a device type change while the lapbether driver is active. This does not require any special privileges beyond those needed to configure networking, but it does require the presence of a bonding device and the lapbether module.
Impact
If successfully exploited, the device type mismatch could cause kernel crashes, data corruption, or other unpredictable behavior. The fix ensures that the bonding driver is prevented from changing the device type by returning NOTIFY_BAD from lapbeth_device_event() when a NETDEV_PRE_TYPE_CHANGE notification occurs.
Mitigation
The fix has been applied in Linux kernel stable releases. Users are advised to update to the latest kernel version to mitigate the vulnerability. There are no known workarounds other than applying the kernel patch.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.24,<6.6.136
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/328bb2cff5c2ed973f595ded769e15f4b7a117benvdPatch
- git.kernel.org/stable/c/363a38044b8cd5b496d241651a1fb666e7c5fe3envdPatch
- git.kernel.org/stable/c/63851f60781aa89258c8f0952cd13940aab0888envdPatch
- git.kernel.org/stable/c/b117056768ab7deb434e7d72065e48d2083a0c2anvdPatch
- git.kernel.org/stable/c/b120e4432f9f56c7103133d6a11245e617695adbnvdPatch
News mentions
0No linked articles in our index yet.