Type Confusion Vulnerability in Linux Kernel Affecting Bonding Drivers
CVE-2026-43456

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-43456?

A type confusion vulnerability affects the bonding feature in the Linux kernel. When a non-Ethernet device, such as a GRE tunnel, is enslaved to a bond, the bonding logic improperly inherits the header operations from the slave device. This can lead to incorrect device-specific data access, causing the system to read garbage values, resulting in crashes. The issue arises because the bond device does not account for the specific data layout expected by the header operations. A fix was introduced to use dedicated wrapper functions for bond devices, ensuring correct handling of network device private data, thus preventing potential system instability.

Affected Version(s)

Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187 < 9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d

Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187 < 6ac890f1d60ac3707ee8dae15a67d9a833e49956

Linux 1284cd3a2b740d0118458d2ea470a1e5bc19b187 < 95597d11dc8bddb2b9a051c9232000bfbb5e43ba

References

https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99a...

https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15...

https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c92...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43456 Data

JSON