CVE-2026-23119

In the Linux kernel, the following vulnerability has been resolved:

bonding: provide a net pointer to __skbflowdissect()

After 3cbf4ffba5ee ("net: plumb network namespace into __skbflowdissect") we have to provide a net pointer to __skbflowdissect(), either via skb->dev, skb->sk, or a user provided pointer.

In the following case, syzbot was able to cook a bare skb.

WARNING: net/core/flow_dissector.c:1131 at __skbflowdissect+0xb57/0x68b0 net/core/flowdissector.c:1131, CPU#1: syz.2.1418/11053 Call Trace: <TASK> bondflowdissect drivers/net/bonding/bondmain.c:4093 [inline] __bondxmithash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 bondxmithashxdp drivers/net/bonding/bondmain.c:4208 [inline] bondxdpxmit3adxorslaveget drivers/net/bonding/bondmain.c:5139 [inline] bondxdpgetxmitslave+0x1fd/0x710 drivers/net/bonding/bondmain.c:5515 xdpmasterredirect+0x13f/0x2c0 net/core/filter.c:4388 bpfprogrunxdp include/net/xdp.h:700 [inline] bpftestrun+0x6b2/0x7d0 net/bpf/testrun.c:421 bpfprogtestrunxdp+0x795/0x10e0 net/bpf/testrun.c:1390 bpfprogtestrun+0x2c7/0x340 kernel/bpf/syscall.c:4703 __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 __dosysbpf kernel/bpf/syscall.c:6274 [inline] __sesysbpf kernel/bpf/syscall.c:6272 [inline] __x64sysbpf+0x7c/0x90 kernel/bpf/syscall.c:6272 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xec/0xf80 arch/x86/entry/syscall64.c:94