PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43456 Linux CVE debrief

CVE-2026-43456 is a Linux kernel bonding flaw where bond_setup_by_slave() copies a slave device’s header_ops directly onto the bond device. When a non-Ethernet slave such as a GRE tunnel is enslaved, later header processing can invoke tunnel-specific helpers with the bond’s private-data layout instead of the slave’s, causing type confusion and crashes. The supplied report shows a kernel BUG reached through ipgre_header() and packet_sendmsg(), and NVD rates the issue 7.8 High.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and operators using bonding with GRE/IP tunnel or other non-Ethernet slaves, especially in active-backup configurations.

Technical summary

The root cause is that bond_setup_by_slave() blindly inherits header_ops from the enslaved interface. Some header callbacks, such as ipgre_header() and related tunnel helpers, call netdev_priv(dev) and expect a device-specific private structure. When those callbacks run on the bond device, netdev_priv() resolves to struct bonding rather than the expected tunnel private data, producing invalid reads and kernel crashes. The fix, per the supplied description, is to use bond_header_ops wrapper functions that forward to the active slave’s header_ops while preserving the slave device context.

Defensive priority

High for hosts that use Linux bonding with non-Ethernet slaves; patch promptly and prioritize these systems for verification.

Recommended defensive actions

  • Apply the official stable kernel fixes referenced by NVD.
  • Upgrade kernels that fall within the affected ranges: before 6.12.78, 6.18.19, or 6.19.9, and the listed 7.0 release candidates.
  • Audit bonded interfaces for non-Ethernet slaves such as GRE or IP tunnel devices.
  • Test the updated bonding and header_ops behavior in staging before rolling out to production.
  • Treat crashes involving pskb_expand_head(), ipgre_header(), or packet_sendmsg() as a cue to verify both kernel version and bond configuration.

Evidence notes

The corpus states that bond_setup_by_slave() directly copies slave_dev->header_ops to the bond device, and that tunnel header functions rely on netdev_priv(dev) returning the correct private structure. The supplied crash trace shows a failure in pskb_expand_head() reached via ipgre_header() and packet_sendmsg(). NVD marks the item analyzed, assigns CWE-908, and lists affected Linux kernel version ranges plus four official stable patch references. CVE publishedAt is 2026-05-08 and modifiedAt is 2026-05-20.

Official resources

Public CVE record published on 2026-05-08 and updated by NVD on 2026-05-20. The provided corpus contains no KEV entry and no ransomware attribution; only official CVE, NVD, and kernel patch references are included.