PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23451 Linux CVE debrief

CVE-2026-23451 is a Linux kernel bonding bug that could trigger an infinite loop in bond_header_parse() when two bonding devices are stacked. The issue is an availability problem: the parser can recurse without a bounded leaf device context because skb->dev points at the top of the hierarchy. The kernel fix adds a const struct net_device *dev parameter to the header_ops->parse() path so recursion is bounded and the final leaf parser is reached.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-21
Advisory published
2026-04-03
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro kernel teams, and operators running bonding or other stacked network aggregation setups should prioritize this. Systems that use bonding in layered configurations are the clearest candidates for impact, and the CVSS vector indicates a high availability risk.

Technical summary

NVD classifies the issue as CVSS 3.1 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps it to CWE-835 (loop with unreachable exit condition). The source description says bond_header_parse() can loop when a stack of two bonding devices is configured because skb->dev always points to the hierarchy top. The fix changes the header_ops->parse() interface to accept a const struct net_device *dev argument so the recursion can be limited to the proper device and the leaf parse method is invoked correctly. NVD lists vulnerable CPE entries for Linux kernel 6.12.78, 6.18.19, 6.19.9, and 7.0-rc1 through 7.0-rc4, and the record includes multiple kernel.org patch references indicating backported fixes.

Defensive priority

High for any environment using Linux bonding, especially stacked bonding configurations; otherwise patch as part of normal kernel maintenance.

Recommended defensive actions

  • Apply the Linux kernel update or vendor backport that includes the bond_header_parse() fix.
  • Inventory systems that use bonding, teaming, or stacked bonding configurations and prioritize them for validation and patching.
  • Confirm your vendor kernel build includes the stable patch backport, not just an upstream commit reference.
  • After patching, monitor affected hosts for kernel hangs or abnormal CPU usage during network bring-up and traffic parsing.
  • If stacked bonding is not required, simplify the network design to reduce exposure to this parser path.

Evidence notes

The CVE description states the bug can loop in bond_header_parse() when two bonding devices are stacked because skb->dev points to the top of the hierarchy. NVD marks the issue analyzed, assigns CVSS 7.5 HIGH with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and identifies CWE-835. The source corpus also provides four official kernel.org patch references, consistent with a fix and stable backports. CVE publication time is 2026-04-03T16:16:31.460Z; the NVD record was last modified on 2026-05-21T00:30:22.150Z.

Official resources

Publicly disclosed in the NVD record on 2026-04-03T16:16:31.460Z; the record was last modified on 2026-05-21T00:30:22.150Z.