CVE-2026-23310: Linux Kernel Privilege Escalation Flaw

CVE-2026-23310 Overview

CVE-2026-23310 is a Linux kernel vulnerability in the bpf/bonding subsystem. The flaw allows an inconsistent state between a loaded eXpress Data Path (XDP) program and the bonding driver's xmit_hash_policy setting. Specifically, bond_option_xmit_hash_policy_set() fails to validate XDP compatibility when changing the hash policy to vlan+srcmac on bonds in 802.3ad or balance-xor mode. This validation gap triggers a WARN_ON in dev_xdp_uninstall() when the bond device is later destroyed, producing kernel warnings and unstable state.

Critical Impact

A local user with network configuration privileges can leave a Linux kernel bond device in an inconsistent XDP state, triggering kernel warnings during teardown and potentially affecting system stability.

Affected Products

• Linux kernel bonding driver with XDP support
• Systems using 802.3ad (LACP) or balance-xor bond modes with native XDP
• Linux distributions shipping kernels prior to the fix commits referenced below

Discovery Timeline

• 2026-03-25 - CVE CVE-2026-23310 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-23310

Vulnerability Analysis

The Linux kernel bonding driver supports attaching native XDP programs to aggregated network interfaces. The function bond_xdp_check() enforces compatibility between the bond mode, the xmit_hash_policy, and any attached XDP program. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because hardware offload typically strips the 802.1q payload required for that hashing policy.

While bond_option_mode_set() was updated by commit 094ee6017ea0 to consult bond_xdp_check() before allowing mode transitions, the symmetric path through bond_option_xmit_hash_policy_set() was never guarded. An administrator can therefore attach an XDP program with a compatible policy such as layer2+3, then switch the policy to vlan+srcmac while XDP remains loaded.

Root Cause

The root cause is missing input validation [CWE-20] in bond_option_xmit_hash_policy_set(). The function accepts the policy change without re-running bond_xdp_check() against the currently attached bond->xdp_prog. This produces a kernel state where bond->xdp_prog is set but the validation guard rejects the configuration as unsupported.

Attack Vector

Exploitation requires local privileges sufficient to configure bonding interfaces, typically CAP_NET_ADMIN. The attacker attaches a native XDP program to a bond in 802.3ad or balance-xor mode with a compatible xmit_hash_policy, then changes the policy to vlan+srcmac. When the bond device is destroyed, dev_xdp_uninstall() invokes bond_xdp_set(dev, NULL, NULL), which fails with -EOPNOTSUPP and triggers WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL)). The vulnerability is described in prose only; no public exploitation code is available.

Detection Methods for CVE-2026-23310

Indicators of Compromise

• Kernel WARN_ON traces from dev_xdp_uninstall() referencing the bonding driver in dmesg or /var/log/kern.log
• Bond interfaces in 802.3ad or balance-xor mode with xmit_hash_policy=vlan+srcmac while an XDP program is attached
• Unexpected -EOPNOTSUPP errors during bond interface teardown

Detection Strategies

• Audit /proc/net/bonding/<bondX> files for combinations of mode 802.3ad or balance-xor with xmit_hash_policy: vlan+srcmac and active XDP programs
• Use ip link show and bpftool net show to enumerate XDP programs attached to bond interfaces and correlate with bond configuration
• Monitor kernel ring buffer for WARN_ON entries originating from bond_xdp_set or dev_xdp_uninstall

Monitoring Recommendations

• Forward kernel log events to a centralized logging platform and alert on bonding-related WARN_ON stack traces
• Track configuration changes to bonding xmit_hash_policy via auditd rules covering /sys/class/net/*/bonding/xmit_hash_policy
• Inventory hosts running custom XDP workloads on bonded interfaces and prioritize them for patching

How to Mitigate CVE-2026-23310

Immediate Actions Required

• Identify Linux hosts running bonded interfaces with attached XDP programs and inventory their xmit_hash_policy settings
• Avoid changing xmit_hash_policy to vlan+srcmac on bonds in 802.3ad or balance-xor mode while an XDP program is loaded
• Apply the upstream kernel patches referenced below as soon as vendor builds are available

Patch Information

The fix adds the missing bond_xdp_check() guard to bond_option_xmit_hash_policy_set(), rejecting incompatible policy changes when XDP is loaded. The upstream commits are available at Kernel Git Commit 0ace8027, Kernel Git Commit 479d589b, Kernel Git Commit 5c262bd0, Kernel Git Commit d36ad7e1, and Kernel Git Commit e85fa809.

Workarounds

• Detach any attached XDP program before modifying xmit_hash_policy on affected bond modes
• Restrict CAP_NET_ADMIN to trusted administrators and automation accounts to limit who can reconfigure bonding interfaces
• Pin xmit_hash_policy to a compatible value such as layer2+3 in configuration management for bonds that host XDP workloads

# Detach XDP from a bond before changing xmit_hash_policy
ip link set dev bond0 xdp off
echo layer2+3 > /sys/class/net/bond0/bonding/xmit_hash_policy
# Reattach the XDP program after policy is settled
ip link set dev bond0 xdp obj /path/to/prog.o sec xdp