CVE-2026-23310
Analyzed Analyzed - Analysis Complete
Improper Input Validation in Linux Bonding Causes XDP Failure

Publication date: 2026-03-25

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This means a user can: 1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode with a compatible xmit_hash_policy (e.g. layer2+3). 2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded. This leaves bond->xdp_prog set but bond_xdp_check() now returning false for the same device. When the bond is later destroyed, dev_xdp_uninstall() calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering: WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL)) Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode. commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP") introduced bond_xdp_check() which returns false for 802.3ad/balance-xor modes when xmit_hash_policy is vlan+srcmac. The check was wired into bond_xdp_set() to reject XDP attachment with an incompatible policy, but the symmetric path -- preventing xmit_hash_policy from being changed to an incompatible value after XDP is already loaded -- was left unguarded in bond_option_xmit_hash_policy_set(). Note: commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode") later added a similar guard to bond_option_mode_set(), but bond_option_xmit_hash_policy_set() remained unprotected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23310
EUVD
EUVD-2026-15252
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.15 (inc) to 6.6.130 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's bonding driver related to the handling of the xmit_hash_policy when an XDP (eXpress Data Path) program is loaded. Specifically, the bonding driver allows changing the xmit_hash_policy to vlan+srcmac even when an XDP program is already attached, which is incompatible with certain bonding modes like 802.3ad and balance-xor.

Normally, the bonding driver prevents incompatible changes to the mode or xmit_hash_policy when an XDP program is loaded, but the function bond_option_xmit_hash_policy_set() lacked this guard. This allows a user to attach an XDP program with a compatible policy, then change the policy to vlan+srcmac, which is incompatible.

This leads to a state where the bonding device has an XDP program set but the policy check fails, causing errors and warnings when the bond is destroyed or the XDP program is removed.

Impact Analysis

This vulnerability can cause instability or unexpected errors in network bonding devices when using XDP programs. Specifically, it can lead to warnings and failures when removing XDP programs or destroying bonded interfaces, potentially disrupting network traffic or causing kernel warnings.

While it does not directly indicate a security breach or data compromise, the improper handling of bonding configurations with XDP programs could lead to network reliability issues or denial of service in environments relying on these features.

Mitigation Strategies

To mitigate this vulnerability, ensure that the xmit_hash_policy is not changed to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode.

Specifically, avoid changing the xmit_hash_policy to vlan+srcmac on bonded interfaces running in 802.3ad or balance-xor mode while an XDP program is attached.

If possible, update the Linux kernel to a version that includes the fix which rejects such incompatible xmit_hash_policy changes when XDP is loaded.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23310. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart