CVE-2026-43234
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel Team Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43234
EUVD
EUVD-2026-27793
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves an issue with the network device management, specifically related to the 'team' network driver. The problem occurs when unregistering a slave device from a team device, where the system waits for the device to become free but encounters a usage count that prevents proper release.

The root cause is related to the NETDEV_CHANGEMTU event being triggered during the unregistering process, which leads to a deadlock or hang situation. The vulnerability was identified through a sequence of commands that create a team device, add a dummy device as a slave, move it to a network namespace, and then delete it, causing the issue.

The fix involved avoiding the NETDEV_CHANGEMTU event when unregistering the slave device, similar to a previous fix applied to the bonding driver, and holding the netdev instance lock during sysfs operations.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to hang or deadlock when network devices are being unregistered, specifically in configurations using the team network driver with slave devices.

Such a hang can lead to system instability, degraded network performance, or denial of service conditions where network interfaces become unresponsive or cannot be properly managed.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability relates to the Linux kernel's network device handling, specifically involving the team driver and MTU change events during device unregistration.

Detection can be attempted by reproducing the conditions that trigger the issue, which involve creating a team device and a dummy device with specific MTU settings, moving the dummy device into a network namespace, and then deleting it.

  • ip link add name team1 type team
  • ip link add name dummy1 mtu 1499 master team1 type dummy
  • ip netns add ns1
  • ip link set dev dummy1 netns ns1
  • ip -n ns1 link del dev dummy1

Observing kernel logs for messages such as "unregister_netdevice: waiting for netdevsim0 to become free" or reference count warnings related to netdevice usage can also indicate the presence of this issue.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by applying specific patches to the Linux kernel's team driver, similar to fixes applied to the bond driver.

Immediate mitigation involves updating the Linux kernel to a version that includes the following commits:

  • Commit f51048c3e07b - "bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"
  • Commit ad7c7b2172c3 - "net: hold netdev instance lock during sysfs operations"
  • Commit 303a8487a657 - "net: s/__dev_set_mtu/__netif_set_mtu/"

Until the kernel is updated, avoid operations that trigger the unregistering of slave devices in the team driver, such as deleting dummy devices in network namespaces that are slaves to team devices.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart