PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31419 Linux CVE debrief

CVE-2026-31419 is a Linux kernel bonding flaw in the broadcast transmit path. A race in bond_xmit_broadcast() could cause the original skb to be reused for the wrong slave and then double-consumed, leading to a use-after-free. The supplied record includes a KASAN crash in skb_clone and official patch references that replace the racy last-slave check with a stable index-based comparison.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and administrators running systems that use bonding mode with broadcast transmission. Systems that can experience concurrent slave enslave/release activity are the most relevant from a defensive review standpoint.

Technical summary

According to the supplied description, bond_xmit_broadcast() iterates slaves under RCU protection and clones the skb for all but the last slave, where it reuses the original skb. The old bond_is_last_slave() test was racy because concurrent slave enslave/release could change the slave list during iteration, altering which entry appeared to be last. That could make the original skb get consumed twice and trigger a use-after-free, with the provided crash showing KASAN reporting slab-use-after-free in skb_clone. The fix snapshots the slave count with READ_ONCE() before the loop and uses i + 1 == slaves_count to decide when to reuse the original skb, preserving the zero-copy optimization while making the last-slave decision stable.

Defensive priority

High. NVD classifies the issue as CVSS 7.8 (HIGH), and the flaw is a kernel memory-safety bug with confidentiality, integrity, and availability impact. The affected versions span multiple maintained Linux kernel series, so patch verification should be prioritized wherever bonding is deployed.

Recommended defensive actions

  • Apply the Linux kernel patches referenced in the official stable git links.
  • Upgrade affected Linux kernel installations to versions outside the NVD vulnerable ranges.
  • Review deployments that use bonding broadcast transmission and confirm they are on fixed kernel builds.
  • If you maintain a downstream kernel, verify the bonding broadcast transmit logic includes the stable index-based last-slave check.
  • Track any vendor advisories or backports for the affected kernel branches before postponing remediation.

Evidence notes

All findings here are limited to the supplied CVE record and official links. The description explicitly attributes the bug to bond_xmit_broadcast(), notes the racy bond_is_last_slave() check, and provides a KASAN use-after-free crash in skb_clone. NVD lists the weakness as CWE-416 and assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The supplied NVD criteria mark the following ranges as vulnerable: 5.10.94-<5.11, 5.15.17-<5.16, 5.16.3-<5.17, 5.17-6.12.86, 6.13-6.18.22, 6.19-6.19.12, and 7.0 rc1 through rc6. Published at 2026-04-13T14:16:11.447Z and last modified at 2026-05-20T19:32:49.557Z.

Official resources

Publicly disclosed in the CVE record on 2026-04-13T14:16:11.447Z; NVD last modified the record on 2026-05-20T19:32:49.557Z. This debrief uses only the supplied record and official references.