PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23171 Linux CVE debrief

CVE-2026-23171 is a Linux kernel bonding vulnerability that can trigger a use-after-free during enslave handling. According to the CVE description, the problem occurs when a new slave is added to the slave array before all enslave error paths are finished; if enslave then fails, cleanup can free the slave memory while it may still be used for transmit path decisions. The fix moves the slave-array update later in the flow, after XDP setup, so further enslave failures are not expected at that point. NVD rates the issue CVSS 3.1 7.8 HIGH with local attack requirements (AV:L/PR:L/UI:N) and maps it to CWE-416. The vulnerable range listed by NVD covers Linux kernel 5.15 through 6.18.9, plus 6.19-rc1 through 6.19-rc7.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-14
Original CVE updated
2026-05-17
Advisory published
2026-02-14
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distribution security teams, and operators using bonding interfaces—especially environments that enable XDP on bonded devices or allow local users to change network configuration. Systems running kernels in the affected ranges should treat this as a prompt patching item.

Technical summary

The bug is in bonding enslave processing. The CVE text says the new slave is inserted into the slave array too early, before the code has finished handling failure cases. Because the slave can be selected for transmit immediately, a later enslave error path can free the allocated slave memory while transmit code still references it, creating a use-after-free. The kernel fix reorders the operations so the slave-array update happens after XDP setup, when no further enslave failures are expected. The NVD record associates the issue with CWE-416 and affected Linux kernel versions from 5.15 up to 6.18.9, plus 6.19-rc1 through 6.19-rc7.

Defensive priority

High for systems that use Linux bonding. Patch quickly if you run affected kernels, particularly where bonded interfaces and XDP are in use or where local users can manipulate network device membership.

Recommended defensive actions

  • Apply the kernel fix from the referenced stable patches or update to a kernel release that includes the remediation.
  • Prioritize systems running Linux kernel 5.15 through 6.18.9 and 6.19-rc1 through 6.19-rc7.
  • Review hosts that use bonded interfaces, especially those with XDP attached to bond devices.
  • Monitor for kernel crashes or instability involving bonding transmit paths if patching is not immediately possible.
  • Use the official CVE and NVD records to confirm whether your deployed kernel build contains the fix.

Evidence notes

The CVE description states: 'bonding: fix use-after-free due to enslave fail after slave array update' and explains that the slave-array update must be moved after XDP setup to avoid freeing memory that may still be used for Tx. The description also includes a reproducible crash scenario and a kernel stack trace showing failure in netdev_core_pick_tx and bond_start_xmit. NVD lists the issue as CWE-416, CVSS 3.1 7.8 HIGH, and vulnerable Linux kernel versions 5.15 through 6.18.9 plus 6.19-rc1 through 6.19-rc7. Publication date used here is the CVE published timestamp, 2026-02-14T16:15:57.353Z; the 2026-05-17 timestamp reflects a later modification to the record.

Official resources

CVE published 2026-02-14T16:15:57.353Z and modified 2026-05-17T16:16:14.983Z. The later modification added/updated kernel patch references in the NVD record.