CVE-2026-23099
- Source
- https://cve.org/CVERecord?id=CVE-2026-23099
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23099.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23099
- Downstream
- Related
- Published
- 2026-02-04T16:08:21.601Z
- Modified
- 2026-03-24T08:59:21.813866Z
- Summary
- bonding: limit BOND_MODE_8023AD to Ethernet devices
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bonding: limit BONDMODE8023AD to Ethernet devices
BONDMODE8023AD makes sense for ARPHRD_ETHER only.
syzbot reported:
BUG: KASAN: global-out-of-bounds in __hwaddrcreate net/core/devaddrlists.c:63 [inline] BUG: KASAN: global-out-of-bounds in _hwaddraddex+0x25d/0x760 net/core/devaddrlists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dumpstacklvl+0xe8/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x240 mm/kasan/report.c:482 kasanreport+0x118/0x150 mm/kasan/report.c:595 checkregioninline mm/kasan/generic.c:-1 [inline] kasancheck_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hwaddrcreate net/core/devaddrlists.c:63 [inline] __hwaddraddex+0x25d/0x760 net/core/devaddr_lists.c:118 __devmcadd net/core/devaddrlists.c:868 [inline] devmcadd+0xa1/0x120 net/core/devaddrlists.c:886 bondenslave+0x2b8b/0x3ac0 drivers/net/bonding/bondmain.c:2180 dosetmaster+0x533/0x6d0 net/core/rtnetlink.c:2963 dosetlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnlchangelink net/core/rtnetlink.c:3776 [inline] __rtnlnewlink net/core/rtnetlink.c:3935 [inline] rtnlnewlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlinkrcvmsg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlinkrcvskb+0x208/0x470 net/netlink/afnetlink.c:2550 netlinkunicastkernel net/netlink/afnetlink.c:1318 [inline] netlinkunicast+0x82f/0x9e0 net/netlink/afnetlink.c:1344 netlinksendmsg+0x805/0xb30 net/netlink/afnetlink.c:1894 socksendmsgnosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __syssendmsg+0x164/0x220 net/socket.c:2678 dosyscall32irqson arch/x86/entry/syscall32.c:83 [inline] __dofastsyscall32+0x1dc/0x560 arch/x86/entry/syscall32.c:307 dofastsyscall32+0x34/0x80 arch/x86/entry/syscall32.c:332 entrySYSENTERcompatafterhwframe+0x84/0x8e </TASK>
The buggy address belongs to the variable: lacpdumcastaddr+0x0/0x40
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23099.json" }- References
-
- https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da
- https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d
- https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4
- https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d
- https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6
- https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23099.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23099
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced872254dd6b1f80cb95ee9e2e22980888533fc293Fixed72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4Fixed5063b2cd9b27d35ab788d707d7858ded0acc8f1dFixed80c881e53a4fa0a80fa4bef7bc0ead0e8e88940dFixedef68afb1bee8d35a18896c27d7358079353d8d8aFixed43dee6f7ef1d228821de1b61c292af3744c8d7daFixedc84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6