CVE-2026-31502
Received Received - Intake
Type Confusion in Linux Kernel Team Header_ops Causes Crash

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash. The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash. Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context. Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31502
EUVD
EUVD-2026-24879
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.7
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 3.7.1 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a type confusion issue in the Linux kernel's team network device implementation. Specifically, for non-Ethernet ports, the team device copies header operations (header_ops) directly from the port device. Later, when the team device calls certain header operation callbacks like dev_hard_header() or dev_parse_header(), these callbacks run with the team net_device instead of the actual lower device. This causes the private data (netdev_priv) to be interpreted incorrectly, leading to a crash.

The root cause is that the team device uses the wrong context for header operations, causing type confusion between different private data structures. This was observed in a crash scenario involving a network topology of gre -> bond -> team, where the bonding code received a team device and misinterpreted its private data.

The fix involves introducing wrappers for the team header operations that ensure callbacks are called with the correct lower device context, preventing the type confusion and associated crashes.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to type confusion when handling network packets on team devices with non-Ethernet ports. Such crashes can lead to denial of service (DoS) conditions on affected systems, potentially disrupting network connectivity and impacting system stability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart