CVE-2026-23171

High

Published: 14 February 2026

Published

14 February 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23171 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the Linux kernel bonding driver to eliminate the use-after-free vulnerability triggered by failed enslave operations after slave array updates.

SI-16 Memory Protection partial match

prevent

Memory protection safeguards prevent unauthorized access to freed memory in the kernel bonding driver, mitigating potential exploitation of the use-after-free during Tx operations.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects the presence of CVE-2026-23171 in vulnerable Linux kernel versions affected by the bonding enslave race condition.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Local kernel use-after-free in bonding driver directly enables privilege escalation via arbitrary code execution (T1068) and endpoint DoS via kernel crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due to enslave fail after slave array update Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array.…

Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslave error cleanup path which frees the allocated slave memory. Slave update array is supposed to be called last when further enslave failures are not expected. Move it after xdp setup to avoid any problems. It is very easy to reproduce the problem with a simple xdp_pass prog: ip l add bond1 type bond mode balance-xor ip l set bond1 up ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass ip l add dumdum type dummy Then run in parallel: while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn" The crash happens almost immediately: [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf] [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary) [ 605.602979] Tainted: [B]=BAD_PAGE [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210 [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89 [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213 [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000 [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000 [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84 [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000 [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0 [ 605.603373] Call Trace: [ 605.603392] <TASK> [ 605.603410] __dev_queue_xmit+0x448/0x32a0 [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10 [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603546] ? _printk+0xcb/0x100 [ 605.603566] ? __pfx__printk+0x10/0x10 [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603627] ? add_taint+0x5e/0x70 [ 605.603648] ? add_taint+0x2a/0x70 [ 605.603670] ? end_report.cold+0x51/0x75 [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]

Deeper analysisAI

CVE-2026-23171 is a use-after-free vulnerability in the Linux kernel's bonding driver, triggered when enslaving a new slave interface fails after it has already been added to the slave array. This allows the freed slave memory to be accessed immediately for transmit (Tx) operations, leading to memory corruption. The issue affects the bonding module in Linux kernels, with a reproduction scenario involving creation of a bond interface in balance-xor mode, attachment of an XDP pass program, rapid repeated attempts to enslave a dummy interface, and concurrent TCP SYN flood traffic, resulting in a kernel oops and KASAN-detected wild memory access in netdev_core_pick_tx.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves concurrently attempting to enslave interfaces to a bond while generating traffic, potentially causing a kernel crash and denial of service via general protection fault. The use-after-free nature (CWE-416) may enable further impacts like arbitrary code execution or data leakage, given the high confidentiality, integrity, and availability impacts.

The provided patch references detail the fix: commit bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d and e9acda52fd2ee0cdca332f996da7a95c5fd25294 move the slave array update to after XDP setup, ensuring it occurs only after enslave failures are no longer expected, preventing premature Tx use of the new slave. Security practitioners should update to kernels incorporating these stable commits to mitigate the issue.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

6.19 · 5.15 — 6.18.9

CVEs Like This One

CVE-2024-57795Same product: Linux Linux Kernel

CVE-2026-31665Same product: Linux Linux Kernel

CVE-2025-21791Same product: Linux Linux Kernel

CVE-2024-57951Same product: Linux Linux Kernel

CVE-2025-21883Same product: Linux Linux Kernel

CVE-2026-31485Same product: Linux Linux Kernel

CVE-2026-31511Same product: Linux Linux Kernel

CVE-2025-21751Same product: Linux Linux Kernel

CVE-2023-53023Same product: Linux Linux Kernel

CVE-2026-31580Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e9acda52fd2ee0cdca332f996da7a95c5fd25294
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67