CVE-2026-31419
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel Bonding Causes Potential Crash

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is "last" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the "last" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31419
EUVD
EUVD-2026-21943
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.10.94 (inc) to 5.11 (exc)
linux linux_kernel From 5.15.17 (inc) to 5.16 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16.3 (inc) to 5.17 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 5.17 (inc) to 6.12.86 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's network bonding driver, specifically in the function bond_xmit_broadcast().

The function reuses a network buffer (skb) for the last slave device and clones it for others. However, if the list of slave devices changes concurrently during this process, the determination of which slave is last can become incorrect.

This race condition causes the original skb to be double-consumed or double-freed, leading to a use-after-free error that can crash the kernel.

The fix replaces the unstable check for the last slave with a stable index comparison against a pre-snapshot count of slaves, preventing the double-free while preserving performance optimizations.

Impact Analysis

This vulnerability can cause a kernel crash due to a use-after-free error in the network bonding driver.

Such crashes can lead to denial of service (DoS) conditions, making the affected system unstable or unavailable.

In some cases, use-after-free vulnerabilities can be exploited to execute arbitrary code or escalate privileges, but this specific CVE description does not confirm such exploitation beyond causing crashes.

Detection Guidance

This vulnerability manifests as a use-after-free (UAF) error in the Linux kernel bonding driver, which can cause kernel crashes with KASAN (Kernel Address Sanitizer) reports indicating slab-use-after-free in skb_clone.

Detection would typically involve monitoring kernel logs for crash reports similar to the one described, including messages about KASAN slab-use-after-free errors related to skb_clone and bond_xmit_broadcast.

Since no specific detection commands or tools are provided, general commands to check kernel logs and dmesg for related errors include:

  • dmesg | grep -i 'bond_xmit_broadcast'
  • journalctl -k | grep -i 'KASAN'
  • journalctl -k | grep -i 'use-after-free'

Additionally, enabling KASAN or other kernel debugging features may help detect this issue during testing or development.

Mitigation Strategies

The vulnerability has been fixed by replacing the racy bond_is_last_slave() check with a stable index comparison to prevent use-after-free conditions.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix (post 7.0.0-rc3+ where the patch is applied).

If updating the kernel is not immediately possible, consider disabling bonding or avoiding configurations that trigger bond_xmit_broadcast() until a patched kernel is deployed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart