CVE-2026-31502
Published: 22 April 2026
Summary
CVE-2026-31502 is a high-severity Type Confusion (CWE-843) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through application of vendor kernel patches directly resolves the type confusion in the team driver's header_ops handling for non-Ethernet ports.
Restricting the kernel to least functionality by disabling the team driver module when not required prevents loading and exploitation of the vulnerable code.
Vulnerability scanning identifies systems with unpatched Linux kernels vulnerable to this team driver type confusion in stacked topologies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel type confusion in team driver enables low-priv exploitation for privilege escalation (T1068) or system crashes/DoS via incorrect private data handling in stacked netdev topologies (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports,…
more
team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash. The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash. Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context. Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context.
Deeper analysisAI
CVE-2026-31502 is a type confusion vulnerability (CWE-843) in the Linux kernel's team driver, affecting the handling of header_ops for non-Ethernet ports. The issue arises in team_setup_by_port(), which copies port_dev->header_ops directly to the team net_device. When callbacks like dev_hard_header() or dev_parse_header() are invoked, they execute with the team net_device context instead of the underlying lower device, leading netdev_priv(dev) to interpret the wrong private data type. This mirrors a prior bonding driver flaw and was demonstrated by syzbot in a topology of gre -> bond -> team, where bond_header_create() crashed due to misinterpreting team private data.
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N) in unprivileged scope (S:U). Triggering the flawed header operations in stacked non-Ethernet topologies causes kernel crashes via type confusion, with potential for high impacts on confidentiality, integrity, and availability (CVSS 7.8). The CVSS vector indicates reliable exploitation leading to severe disruption or data compromise through incorrect private data handling.
Mitigation is provided through kernel patches in stable trees, such as commits 0a7468ed49a6b65d34abcc6eb60e15f7f6d34da0, 20491d384d973a63fbdaf7a71e38d69b0659ea55, 425000dbf17373a4ab8be9428f5dc055ef870a56, and 6d3161fa3eee64d46b766fb0db33ec7f300ef52d. These introduce team header_ops wrappers for create and parse operations, which select the correct team port under RCU, invoke lower device callbacks with the proper port->dev context, and pass the lower device to parse callbacks to bound recursion in stacked topologies.
Details
- CWE(s)