CVE-2026-23119 Overview
CVE-2026-23119 is a Linux kernel vulnerability in the bonding network driver. The flaw resides in bond_flow_dissect() within drivers/net/bonding/bond_main.c, which calls __skb_flow_dissect() without supplying a valid network namespace pointer. After commit 3cbf4ffba5ee plumbed the network namespace into __skb_flow_dissect(), callers must pass a net pointer via skb->dev, skb->sk, or directly. The syzbot fuzzer triggered the issue by crafting a bare socket buffer (skb) through the BPF XDP test infrastructure, producing a kernel warning at net/core/flow_dissector.c:1131. Local attackers with the ability to run BPF programs can use this path to crash the kernel or destabilize bonded network interfaces.
Critical Impact
A local unprivileged user able to invoke BPF test infrastructure can reach an unsafe code path in the bonding driver, causing kernel warnings and potential denial of service on affected systems.
Affected Products
- Linux Kernel 6.19-rc1 through 6.19-rc6
- Earlier stable branches receiving the 3cbf4ffba5ee backport (per kernel.org stable commits)
- Systems with the bonding driver (CONFIG_BONDING) enabled
Discovery Timeline
- 2026-02-14 - CVE-2026-23119 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-23119
Vulnerability Analysis
The vulnerability is a kernel-level input validation and missing-context error [CWE-NVD-noinfo] in the Linux bonding driver. When bond_flow_dissect() processes an outgoing socket buffer to compute a transmit hash, it calls __skb_flow_dissect() to parse packet headers. Since commit 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect"), this function requires a valid network namespace reference, derived from skb->dev, skb->sk, or an explicit argument.
The bonding code did not guarantee any of these were populated. When syzbot supplied a bare skb through the BPF XDP test harness (bpf_prog_test_run_xdp), the call chain reached bond_flow_dissect() and ultimately __skb_flow_dissect() without a net pointer, triggering a WARN at net/core/flow_dissector.c:1131.
Root Cause
The root cause is an unstated API contract between __skb_flow_dissect() and its callers. The bonding driver's transmit hashing path was not updated when the dissector began requiring namespace context, leaving bond_flow_dissect() to invoke the dissector on skbs lacking dev and sk references. The fix passes an explicit net pointer into the dissector from the bonding driver.
Attack Vector
Exploitation requires local access and the ability to load or invoke BPF programs, typically the CAP_BPF or CAP_SYS_ADMIN capability, or an unprivileged BPF configuration. An attacker triggers the path by submitting a crafted skb to bpf_prog_test_run_xdp() against a bonded interface configured for XDP redirect. The result is a kernel warning and possible follow-on instability of the bonding device, producing availability impact without confidentiality or integrity loss.
No exploitation code beyond the syzbot reproducer is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-23119
Indicators of Compromise
- Kernel log entries containing WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect
- Stack traces referencing bond_flow_dissect, __bond_xmit_hash, bond_xdp_xmit_3ad_xor_slave_get, or xdp_master_redirect
- Unexpected bpf_prog_test_run_xdp invocations from unprivileged user sessions in audit logs
Detection Strategies
- Monitor dmesg and /var/log/kern.log for repeated flow dissector warnings tied to the bonding driver
- Correlate kernel warnings with the originating PID and UID using auditd rules on the bpf syscall
- Track running kernel versions against the fixed stable releases referenced in the kernel.org commits
Monitoring Recommendations
- Enable kernel.panic_on_warn=0 only where stability data collection is needed, and ship warnings to centralized logging
- Audit BPF program loads with auditctl -a always,exit -F arch=b64 -S bpf -k bpf_activity
- Alert on processes invoking BPF XDP test runs against bonded interfaces from non-administrative users
How to Mitigate CVE-2026-23119
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org stable commits as soon as your distribution publishes updated kernels
- Restrict unprivileged BPF by setting kernel.unprivileged_bpf_disabled=1 via sysctl
- Limit CAP_BPF and CAP_SYS_ADMIN to trusted service accounts only
Patch Information
The fix is committed across multiple stable branches. Reference commits include Kernel Git Commit 0efee0b, Kernel Git Commit 3be945a, Kernel Git Commit 5f9b329, Kernel Git Commit 8e53780, Kernel Git Commit bc3c8d2, Kernel Git Commit de97735, and Kernel Git Commit f4faaa1. The patch ensures bond_flow_dissect() passes a valid net namespace pointer to __skb_flow_dissect().
Workarounds
- Disable unprivileged BPF system-wide where workloads do not require it
- Avoid attaching XDP programs to bonded interfaces until kernels are patched
- Use seccomp profiles to block the bpf syscall in untrusted containers and workloads
# Configuration example
# Disable unprivileged BPF and persist across reboots
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/99-bpf-hardening.conf
# Verify current kernel version against fixed stable branches
uname -r
# Audit BPF syscalls
sudo auditctl -a always,exit -F arch=b64 -S bpf -k bpf_activity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
