VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 12, 2026

CVE-2026-43234

CVE-2026-43234

Description

In the Linux kernel, the following vulnerability has been resolved:

team: avoid NETDEV_CHANGEMTU event when unregistering slave

syzbot is reporting

unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894

problem. Ido Schimmel found steps to reproduce

ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1

and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave").

Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A kernel refcount leak in the team driver prevents slave devices from being freed when moved across network namespaces.

Root

Cause

The team driver incorrectly triggers a NETDEV_CHANGEMTU notification when removing a slave port via team_port_del [0]. This notification ultimately calls dev_set_mtu, which increments the network device's reference count through netdev_hold [0]. The reference count is never decremented when the slave is later unregistered, because the MTU change event is not the appropriate context for such a hold.

Exploitation

An attacker with CAP_NET_ADMIN privileges can reproduce the issue by creating a team interface, enslaving a device (such as a dummy interface with a custom MTU), and then moving that slave into a different network namespace using ip link set ... netns ... [0]. The sequence triggers team_device_event, which calls team_port_del, which in turn generates the spurious MTU change event.

Impact

Once the slave device's reference count is elevated, unregister_netdevice() waits for the count to drop to zero, causing the warning "unregister_netdevice: waiting for ... to become free. Usage count = ..." [0]. The device never becomes free, preventing cleanup of network namespaces and potentially leading to resource exhaustion and denial of service.

Mitigation

The fix, merged into the Linux kernel, ensures that team_port_del does not emit NETDEV_CHANGEMTU during slave removal, avoiding the unnecessary reference count increment [1][2][3]. Administrators should apply the latest stable kernel updates to resolve this issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

1