CVE-2026-53069
Received Received - Intake
Null Pointer Dereference in Linux Kernel XDP

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via xdp_master_redirect(). Full decoded trace: https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73 bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU counter that bonding only allocates in bond_open() when the mode is round-robin. If the bond device was never brought up, rr_tx_counter stays NULL. The XDP redirect path can still reach that code on a bond that was never opened: bpf_master_redirect_enabled_key is a global static key, so as soon as any bond device has native XDP attached, the XDP_TX -> xdp_master_redirect() interception is enabled for every slave system-wide. The path xdp_master_redirect() -> bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() -> bond_rr_gen_slave_id() then runs against a bond that has no rr_tx_counter and crashes. Fix this in the generic xdp_master_redirect() by refusing to call into the master's ->ndo_xdp_get_xmit_slave() when the master device is not up. IFF_UP is only set after ->ndo_open() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDP_ABORTED so the exception is visible via trace_xdp_exception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndo_open() is protected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53069
EUVD
EUVD-2026-38937
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability causes a kernel panic related to bonding devices in round-robin mode when XDP is attached but the bond device was never brought up. Detection involves monitoring for kernel panics or crashes linked to bonding and XDP operations.

You can check if any bond devices are configured but not brought up, especially those using round-robin mode, and if native XDP is attached to any bond device.

  • Check bond devices and their status: sudo cat /proc/net/bonding/*
  • Check if bond devices are up: ip link show type bond
  • Check if XDP is attached to any bond device or its slaves: sudo ethtool -S <interface> or ip link show <interface> to look for XDP flags
  • Monitor kernel logs for panics or trace_xdp_exception() messages indicating XDP_ABORTED frames: sudo dmesg | grep -i xdp
  • Use tracing tools like trace-cmd or perf to monitor XDP exceptions and bonding events.
Executive Summary

This vulnerability exists in the Linux kernel's networking code related to the eXpress Data Path (XDP) and bonding driver. Specifically, a null pointer dereference can occur in the function xdp_master_redirect() when it calls bond_rr_gen_slave_id() on a bond device that was never brought up (i.e., never opened). The issue arises because bond_rr_gen_slave_id() dereferences a per-CPU counter (rr_tx_counter) that is only allocated when the bond device is opened in round-robin mode. If the bond device is not opened, this counter remains NULL, leading to a kernel panic when accessed.

The problem happens because the XDP redirect path is enabled system-wide as soon as any bond device has native XDP attached, regardless of whether individual bond devices are up or not. This causes the code to attempt to access uninitialized data on bonds that are down, resulting in a crash.

The fix involves modifying xdp_master_redirect() to avoid calling the master's ndo_xdp_get_xmit_slave() function if the master device is not up (IFF_UP flag not set). This prevents accessing uninitialized XDP state and causes the frame to be dropped with an XDP_ABORTED error, making the exception visible rather than causing a silent crash.

Impact Analysis

This vulnerability can cause a kernel panic (system crash) on Linux systems using network bonding with XDP enabled. Specifically, if a bond device is configured but never brought up, and native XDP is attached to any bond device, the system may crash when network traffic triggers the vulnerable code path.

Such a kernel panic can lead to denial of service (DoS) conditions, causing network interruptions and potential downtime for affected systems. This can impact system availability and reliability, especially in environments relying on bonded network interfaces for redundancy or performance.

Mitigation Strategies

The vulnerability is fixed by ensuring that the master device is up before calling into the master's ndo_xdp_get_xmit_slave() function. This prevents null pointer dereference by refusing to process XDP redirects on bond devices that have not been brought up.

Immediate mitigation steps include applying the patch or update that contains this fix to your Linux kernel.

Additionally, avoid attaching native XDP to bond devices that have not been brought up, as the vulnerability arises when XDP is enabled on such devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart