CVE-2026-23451
Analyzed Analyzed - Analysis Complete
Infinite Loop Vulnerability in Linux Kernel Bonding Component

Publication date: 2026-04-03

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse() bond_header_parse() can loop if a stack of two bonding devices is setup, because skb->dev always points to the hierarchy top. Add new "const struct net_device *dev" parameter to (struct header_ops)->parse() method to make sure the recursion is bounded, and that the final leaf parse method is called.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23451
EUVD
EUVD-2026-18702
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 6.18.19
linux linux_kernel 6.19.9
linux linux_kernel 6.12.78
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's bonding driver, specifically in the bond_header_parse() function. When a stack of two bonding devices is configured, bond_header_parse() can enter an infinite loop because skb->dev always points to the top device in the hierarchy. This causes the function to recurse indefinitely.

The fix involves adding a new parameter to the parse() method of the header_ops structure to ensure that recursion is bounded and that the final leaf parse method is called correctly, preventing the infinite loop.

Impact Analysis

This vulnerability can cause the Linux kernel to enter an infinite loop when processing network packets on systems using stacked bonding devices. This could lead to system instability, degraded network performance, or denial of service due to the kernel being stuck in the loop.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart