Skip to main content
Mallory
Back to vulnerabilities
High

Linux kernel bonding type confusion in bond_setup_by_slave()

IdentifiersCVE-2026-43456CWE-843

CVE-2026-43456 is a Linux kernel vulnerability in the bonding driver caused by type confusion in bond_setup_by_slave(). When a non-Ethernet slave device such as a GRE tunnel is enslaved to a bond interface, the bonding code copies the slave device's header_ops directly into the bond device. Later, when dev_hard_header() invokes callbacks such as ipgre_header() or ip6gre_header() through those inherited header_ops, the callback executes in the context of the bond device rather than the original slave device. Those header functions use netdev_priv(dev) and therefore interpret the bond device's private data (struct bonding) as if it were the slave driver's expected private structure (for example struct ip_tunnel). This results in invalid memory interpretation, garbage values, and kernel crashes, as evidenced by the reported BUG in pskb_expand_head(). The upstream fix introduces bond_header_ops wrapper functions that dispatch to the active slave's header_ops using the slave device itself, ensuring netdev_priv() resolves to the correct private data layout.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering causes kernel instability and denial of service through a kernel BUG/Oops and crash path during packet header construction. Based on the provided information, the demonstrated impact is system crash rather than confirmed privilege escalation or code execution.

Mitigation

If you can’t patch tonight, do this now.

Until patched, avoid enslaving non-Ethernet devices that provide device-specific header_ops, such as GRE/IPGRE tunnel interfaces, to bond interfaces. Restrict configurations that combine bonding with tunnel-type slave devices, and monitor for kernel crashes associated with packet transmission over such bonded interfaces. Where possible, use only supported Ethernet-like slave devices for bonding.

Remediation

Patch, then assume compromise.

Apply the upstream kernel fix for CVE-2026-43456 in the bonding driver. The fix replaces blind inheritance of a slave's header_ops with bonding-specific wrapper header_ops that call the active slave's header functions using the slave net_device, preserving the correct netdev_priv() type expectations. Use a kernel release that includes this patch or backport the fix to affected supported kernels.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43456
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43456
MITRE CWE · CWE-843
cwe.mitre.org
Patch
git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956
Patch
git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11
Patch
git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba
Patch
git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d