CVE-2026-23099 Linux kernel CVE debrief

Who should care

System administrators and security teams responsible for Linux kernel-based systems, especially those using bonding with 8023AD mode, should prioritize patching this vulnerability. This includes organizations with Linux-based servers, virtual machines, or network infrastructure. Additionally, Linux distribution maintainers and developers should apply patches to their supported versions.

Technical summary

The vulnerability is caused by the bonding module's 8023AD mode not being restricted to Ethernet devices only. This allows for a potential out-of-bounds access when a non-Ethernet device is used with BOND_MODE_8023AD. The bug was reported by syzbot and is caused by the lacpdu_mcast_addr variable being accessed with an incorrect address. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.

Defensive priority

High priority due to potential for elevation of privileges and high CVSS score

Recommended defensive actions

• Apply official patches from the Linux kernel maintainers
• Review and update Linux kernel versions to ensure they are running a patched version
• Inventory Linux systems using bonding with 8023AD mode and prioritize patching
• Monitor Linux kernel updates and apply patches in a timely manner
• Consider implementing compensating controls, such as restricting network device types used with bonding

Evidence notes

The vulnerability was reported by syzbot and is caused by a lack of restriction on the network device type used with BOND_MODE_8023AD. The bug affects various Linux kernel versions, including versions 2.6.24 to 5.15.199, 5.16 to 6.1.162, 6.2 to 6.6.122, 6.7 to 6.12.68, and 6.13 to 6.18.8. The primary evidence for this vulnerability is the Linux kernel source code and the syzbot report.

Official resources