CVE-2026-45970
Description
In the Linux kernel, the following vulnerability has been resolved:
bonding: alb: fix UAF in rlb_arp_recv during bond up/down
The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX handlers are still running, leading to a null pointer dereference detected by KASAN.
However, the root cause is that rlb_arp_recv() can still be accessed after setting recv_probe to NULL, which is actually a use-after-free (UAF) issue. That is the reason for using the referenced commit in the Fixes tag.
[ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI [ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] [ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary) [ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022 [ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding] [ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00 [ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206 [ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e [ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8 [ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8 [ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119 [ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810 [ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000 [ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0 [ 214.310347] Call Trace: [ 214.313070] [ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding] [ 214.320975] bond_handle_frame+0x166/0xb60 [bonding] [ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] [ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710 [ 214.339199] ? __pfx_arp_process+0x10/0x10 [ 214.343775] ? sched_balance_find_src_group+0x98/0x630 [ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10 [ 214.356513] ? arp_rcv+0x307/0x690 [ 214.360311] ? __pfx_arp_rcv+0x10/0x10 [ 214.364499] ? __lock_acquire+0x58c/0xbd0 [ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0 [ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 214.380743] ? lock_acquire+0x10b/0x140 [ 214.385026] process_backlog+0x3f1/0x13a0 [ 214.389502] ? process_backlog+0x3aa/0x13a0 [ 214.394174] __napi_poll.constprop.0+0x9f/0x370 [ 214.399233] net_rx_action+0x8c1/0xe60 [ 214.403423] ? __pfx_net_rx_action+0x10/0x10 [ 214.408193] ? lock_acquire.part.0+0xbd/0x260 [ 214.413058] ? sched_clock_cpu+0x6c/0x540 [ 214.417540] ? mark_held_locks+0x40/0x70 [ 214.421920] handle_softirqs+0x1fd/0x860 [ 214.426302] ? __pfx_handle_softirqs+0x10/0x10 [ 214.431264] ? __neigh_event_send+0x2d6/0xf50 [ 214.436131] do_softirq+0xb1/0xf0 [ 214.439830]
The issue is reproducible by repeatedly running ip link set bond0 up/down while receiving ARP messages, where rlb_arp_recv() can race with rlb_deinitialize() and dereference a freed rx_hashtbl entry.
Fix this by setting recv_probe to NULL and then calling synchronize_net() to wait for any concurrent RX processing to finish. This ensures that no RX handler can access rx_hashtbl after it is freed in bond_alb_deinitialize().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the Linux kernel's bonding ALB driver allows a local attacker to crash the system during rapid bond up/down cycles.
Vulnerability
The Linux kernel's bonding driver, specifically the Adaptive Load Balancing (ALB) path, contains a use-after-free (UAF) vulnerability in rlb_arp_recv(). During rapid bond up/down cycles, rlb_deinitialize() frees the rx_hashtbl while receive handlers are still executing, leading to a null pointer dereference and KASAN-detected UAF. The issue affects versions of the Linux kernel prior to the fix commit fef13c403be3 and c65cdf46ce34. An Oops trace shows the crash in rlb_arp_recv+0x505 while handling ARP packets [1][2].
Exploitation
An attacker with the ability to trigger bond up/down cycles (i.e., local user with CAP_NET_ADMIN or access to network configuration scripts) can exploit this race condition. No special user interaction is required beyond initiating the bond state changes; the race window occurs when rlb_arp_recv() continues to access the freed hash table even after recv_probe is set to NULL [1].
Impact
Exploitation leads to a denial of service (DoS) through a system crash (general protection fault). The KASAN report confirms a null-ptr-deref in rlb_arp_recv, indicating memory corruption that can cause system instability or crash [1]. No privilege escalation is described, but the attack can disrupt network bonding functionality and overall system availability.
Mitigation
Both stable kernel commits fef13c403be3fb685cb06419e6b3623106aab5ba and c65cdf46ce340c9c00fbbaf84599d2daff43626e fix the issue by properly synchronizing the teardown with active RX handlers. Users should update to a kernel version containing either commit. No workaround is provided if the patch cannot be applied, and the vulnerability is not listed in CISA's KEV as of the publication date [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
16c65cdf46ce34bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 95456a753b184b..dd1f8cad953bf4 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4478,9 +4478,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
e6834a4c4746bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 78cff904cdc309..55a960da42b507 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4343,9 +4343,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (BOND_MODE(bond) == BOND_MODE_8023AD && bond->params.broadcast_neighbor) -- cgit 1.3-korg
d31065526f16bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 47f13d86cb7ef0..4c58d1dafcacba 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4314,9 +4314,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (BOND_MODE(bond) == BOND_MODE_8023AD && bond->params.broadcast_neighbor) -- cgit 1.3-korg
fd54ddc929bebonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 1d8a6690527aa9..87e23796680b32 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -3804,9 +3804,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
de7c097800f0bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 27ed1643754114..1323a619db4d28 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4024,9 +4024,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
db5435b5342ebonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 113a5504c9ebb4..8ff1c34b4db635 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4343,9 +4343,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
f94a0de7b9f3bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 4f8a59b4ba9858..836d7fcac71a1d 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4401,9 +4401,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
fef13c403be3bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 166dff47a029ff..dba8f68690947c 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4405,9 +4405,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (BOND_MODE(bond) == BOND_MODE_8023AD && bond->params.broadcast_neighbor) -- cgit 1.3-korg
fd54ddc929bebonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 1d8a6690527aa9..87e23796680b32 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -3804,9 +3804,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
db5435b5342ebonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 113a5504c9ebb4..8ff1c34b4db635 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4343,9 +4343,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
f94a0de7b9f3bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 4f8a59b4ba9858..836d7fcac71a1d 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4401,9 +4401,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
fef13c403be3bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 166dff47a029ff..dba8f68690947c 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4405,9 +4405,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (BOND_MODE(bond) == BOND_MODE_8023AD && bond->params.broadcast_neighbor) -- cgit 1.3-korg
c65cdf46ce34bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 95456a753b184b..dd1f8cad953bf4 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4478,9 +4478,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
d31065526f16bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 47f13d86cb7ef0..4c58d1dafcacba 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4314,9 +4314,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (BOND_MODE(bond) == BOND_MODE_8023AD && bond->params.broadcast_neighbor) -- cgit 1.3-korg
de7c097800f0bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 27ed1643754114..1323a619db4d28 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4024,9 +4024,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (bond_uses_primary(bond)) { rcu_read_lock(); -- cgit 1.3-korg
e6834a4c4746bonding: alb: fix UAF in rlb_arp_recv during bond up/down
1 file changed · +5 −2
drivers/net/bonding/bond_main.c+5 −2 modifieddiff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 78cff904cdc309..55a960da42b507 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4343,9 +4343,13 @@ static int bond_close(struct net_device *bond_dev) bond_work_cancel_all(bond); bond->send_peer_notif = 0; + WRITE_ONCE(bond->recv_probe, NULL); + + /* Wait for any in-flight RX handlers */ + synchronize_net(); + if (bond_is_lb(bond)) bond_alb_deinitialize(bond); - bond->recv_probe = NULL; if (BOND_MODE(bond) == BOND_MODE_8023AD && bond->params.broadcast_neighbor) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing synchronization in bond_close() allows rlb_arp_recv() to access freed rx_hashtbl memory during concurrent bond teardown."
Attack vector
An attacker on the local network sends ARP messages to a system with a bond interface in ALB mode. While the system rapidly cycles the bond interface up and down (e.g., `ip link set bond0 up/down`), `rlb_arp_recv()` can race with `rlb_deinitialize()`. The RX handler may dereference `rx_hashtbl` after it has been freed, causing a use-after-free (UAF) or null-pointer dereference [patch_id=2660852]. The crash manifests as a general protection fault in `rlb_arp_recv` at offset 0x505, as shown in the KASAN report.
Affected code
The vulnerability is in `drivers/net/bonding/bond_main.c` in the `bond_close()` function [patch_id=2660852]. The ALB (Adaptive Load Balancing) RX handler `rlb_arp_recv()` in the bonding driver accesses `rx_hashtbl` without proper synchronization during bond teardown.
What the fix does
The patch moves `bond->recv_probe = NULL` to before `bond_alb_deinitialize(bond)` and wraps it with `WRITE_ONCE()`. It then adds a `synchronize_net()` call between setting `recv_probe` to NULL and freeing `rx_hashtbl` [patch_id=2660852]. This ensures that any in-flight RX handlers (including `rlb_arp_recv()`) have completed before the hash table is freed, closing the race window.
Preconditions
- configBond interface must be in ALB (Adaptive Load Balancing) mode
- networkAttacker must be able to send ARP packets to the target system
- inputBond interface must be rapidly brought up and down while ARP traffic is received
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/c65cdf46ce340c9c00fbbaf84599d2daff43626envd
- git.kernel.org/stable/c/d31065526f160ee0244a719230aa069daca2bf4dnvd
- git.kernel.org/stable/c/db5435b5342e3aaa4521d0f3ccfe94316b253ca1nvd
- git.kernel.org/stable/c/de7c097800f07f3c108185c7a38b53a530ba30ffnvd
- git.kernel.org/stable/c/e6834a4c474697df23ab9948fd3577b26bf48656nvd
- git.kernel.org/stable/c/f94a0de7b9f32745a14a1621c63087a092823587nvd
- git.kernel.org/stable/c/fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803cnvd
- git.kernel.org/stable/c/fef13c403be3fb685cb06419e6b3623106aab5banvd
News mentions
0No linked articles in our index yet.