CVE-2026-53337
Received Received - Intake

NULL Pointer Dereference in Linux Kernel Bonding Driver

Vulnerability report for CVE-2026-53337, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL pointer dereference in bond_do_ioctl() In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which can return NULL if the requested interface name does not exist. However, the subsequent slave_dbg() call is placed before the NULL check: slave_dev = __dev_get_by_name(net, ifr->ifr_slave); slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here if (!slave_dev) return -ENODEV; The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, (slave_dev)->name, ...) which unconditionally dereferences slave_dev->name before the NULL check is performed. This results in a NULL pointer dereference kernel oops when a user calls bonding ioctl (e.g. SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave interface name. This is reachable from userspace via the bonding ioctl interface with CAP_NET_ADMIN capability, making it a potential local denial-of-service vector. Fix by moving the slave_dbg() call after the NULL check.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network bonding driver. Specifically, in the bond_do_ioctl() function, a pointer called slave_dev is obtained using __dev_get_by_name(), which can return NULL if the requested network interface name does not exist.

However, before checking if slave_dev is NULL, the code calls slave_dbg(), which dereferences slave_dev->name unconditionally. If slave_dev is NULL, this causes a NULL pointer dereference, leading to a kernel oops (crash).

This can be triggered by a user with CAP_NET_ADMIN capability issuing bonding ioctl commands with a non-existent slave interface name, potentially causing a local denial-of-service.

The fix involved moving the slave_dbg() call to after the NULL check to prevent dereferencing a NULL pointer.

Impact Analysis

This vulnerability can be exploited by a local user with CAP_NET_ADMIN privileges to cause a denial-of-service (DoS) condition by crashing the kernel.

Specifically, by issuing bonding ioctl commands with a non-existent slave interface name, the attacker can trigger a NULL pointer dereference, resulting in a kernel oops and potentially system instability or downtime.

Detection Guidance

This vulnerability occurs when a bonding ioctl call (such as SIOCBONDENSLAVE or SIOCBONDRELEASE) is made with a non-existent slave interface name, causing a NULL pointer dereference in the Linux kernel bonding driver.

To detect if your system is vulnerable, you can attempt to invoke bonding ioctl commands with invalid or non-existent slave interface names and observe if the kernel crashes or logs oops messages related to bonding or NULL pointer dereferences.

Example commands to test this might include using the 'ip' or 'ifenslave' utilities with invalid interface names, or writing a small program or script that issues bonding ioctl calls with non-existent slave names, but note that these require CAP_NET_ADMIN privileges.

  • Check kernel logs (e.g., dmesg) for bonding-related NULL pointer dereference oops messages after such tests.
  • Example command to check kernel logs: dmesg | grep -i 'bonding\|NULL pointer'
Mitigation Strategies

The immediate mitigation is to update the Linux kernel to a version where this vulnerability is fixed, specifically where the slave_dbg() call is moved after the NULL check in bond_do_ioctl().

Until the kernel is updated, restrict access to the bonding ioctl interface by limiting CAP_NET_ADMIN capability to trusted users only, as exploitation requires this privilege.

Avoid running untrusted code or userspace programs that can issue bonding ioctl calls with arbitrary interface names.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53337. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart