CVE-2026-45970 Linux CVE debrief

Who should care

System administrators running Linux systems with network bonding in ALB mode (balance-alb, mode 6), particularly those with dynamic network configurations or automated network management that may trigger rapid interface state changes. Cloud providers and hosting environments using bonded interfaces for redundancy should prioritize this patch.

Technical summary

The vulnerability is a use-after-free in the Linux kernel's bonding driver ALB (Adaptive Load Balancing) implementation. The RX path (`rlb_arp_recv`) can race with bond teardown (`rlb_deinitialize`) during rapid interface up/down operations. When `recv_probe` is set to NULL, concurrent RX handlers may still access `rx_hashtbl`, which gets freed by `rlb_deinitialize()`, resulting in UAF. The fix ensures proper synchronization using `synchronize_net()` before freeing the hash table.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable kernel git repositories when available for your distribution
• Monitor for distribution-specific security advisories for kernel updates
• If running systems with bonding ALB mode, plan maintenance windows for kernel updates
• Review systems using `mode=6` (balance-alb) in bonding configuration as potentially affected
• Consider network interface stability measures to reduce rapid up/down cycling until patched

Evidence notes

The CVE description provides detailed KASAN crash output showing the null-pointer dereference in `rlb_arp_recv` at offset 0x505, with RDI register containing 0x00000000000000e8 indicating the invalid memory access. The call trace confirms the issue occurs in the IRQ context during network receive processing. Multiple stable kernel commits are referenced indicating backports to various kernel versions.

Official resources