CVE-2026-23451 - Vulnerability Details

- bonding: prevent potential infinite loop in bond_header_parse()

Description

In the Linux kernel, the following vulnerability has been resolved:

bonding: prevent potential infinite loop in bond_header_parse()

bond_header_parse() can loop if a stack of two bonding devices is setup,
because skb->dev always points to the hierarchy top.

Add new "const struct net_device *dev" parameter to
(struct header_ops)->parse() method to make sure the recursion
is bounded, and that the final leaf parse method is called.

Published: 2026-04-03

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel bonding subsystem, a flaw causes the header parsing routine to recurse without bound when a stack of two bonded network interfaces is configured. Because the packet device reference always points to the top of the hierarchy, the parser repeatedly invokes itself without reaching the leaf, potentially leading to an infinite loop inside the kernel. This flaw falls under CWE‑835, which concerns infinite loops that can serve as denial‑of‑service avenues.

Affected Systems

All Linux kernel releases that have not yet incorporated the vendor‑supplied fix are potentially vulnerable. Any distribution that allows users to stack multiple bonded interfaces—common in enterprise switches, virtualized networking, and advanced routing setups—could experience this issue if the configuration hierarchy includes more than one bonding device.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity, yet the EPSS score is below 1 %, indicating a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The likely attack vector is an intentional or accidental network configuration that creates a bonded‑device stack; an attacker would need the ability to influence or control such a configuration. When triggered, the infinite loop could consume kernel CPU resources, potentially causing a system slowdown or crash, which in turn results in a denial‑of‑service condition.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d`	affected	< 946bb6cacf0ccada7bc80f1cfa07c1ed79511c1c
`6ac890f1d60ac3707ee8dae15a67d9a833e49956`	affected	< 4172a7901cf43fe1cc63ef7a2ef33735ff7b7d13
`95597d11dc8bddb2b9a051c9232000bfbb5e43ba`	affected	< 9b49c854f14f5e2d493e562a1e28d2e57fe37371
`950803f7254721c1c15858fbbfae3deaaeeecb11`	affected	< b7405dcf7385445e10821777143f18c3ce20fa04

Linux

unaffected

Version	Status	Constraints
`6.18.19`	affected	< 6.18.20
`6.19.9`	affected	< 6.19.10

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d,946bb6cacf0ccada7bc80f1cfa07c1ed79511c1c)`	affected	code_commit	—
`[6ac890f1d60ac3707ee8dae15a67d9a833e49956,4172a7901cf43fe1cc63ef7a2ef33735ff7b7d13)`	affected	code_commit	—
`[95597d11dc8bddb2b9a051c9232000bfbb5e43ba,9b49c854f14f5e2d493e562a1e28d2e57fe37371)`	affected	code_commit	—
`[950803f7254721c1c15858fbbfae3deaaeeecb11,b7405dcf7385445e10821777143f18c3ce20fa04)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`7.0-rc4`	affected	semver	—
`[0,7.0-rc4)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the bond_header_parse fix.
Reconfigure the network to avoid stacking two bonded interfaces until the fix is available.
Monitor system CPU usage for abnormal spikes that could indicate a looping condition.

Generated by OpenCVE AI on April 28, 2026 at 08:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4172a7901cf43fe1cc63ef7a2ef33735ff7b7d13
https://git.kernel.org/stable/c/946bb6cacf0ccada7bc80f1cfa07c1ed79511c1c
https://git.kernel.org/stable/c/9b49c854f14f5e2d493e562a1e28d2e57fe37371
https://git.kernel.org/stable/c/b7405dcf7385445e10821777143f18c3ce20fa04
https://lore.kernel.org/linux-cve-announce/2026040316-CVE-2026-23451-1298@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23451
https://www.cve.org/CVERecord?id=CVE-2026-23451

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-703

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
References		https://lore.kernel.org/linux-cve-announce/2026040316-CVE-2026-23451-1298@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23451 https://www.cve.org/CVERecord?id=CVE-2026-23451
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-703

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse() bond_header_parse() can loop if a stack of two bonding devices is setup, because skb->dev always points to the hierarchy top. Add new "const struct net_device *dev" parameter to (struct header_ops)->parse() method to make sure the recursion is bounded, and that the final leaf parse method is called.
Title		bonding: prevent potential infinite loop in bond_header_parse()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4172a7901cf43fe1cc63ef7a2ef33735ff7b7d13 https://git.kernel.org/stable/c/946bb6cacf0ccada7bc80f1cfa07c1ed79511c1c https://git.kernel.org/stable/c/9b49c854f14f5e2d493e562a1e28d2e57fe37371 https://git.kernel.org/stable/c/b7405dcf7385445e10821777143f18c3ce20fa04

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:33.776Z

Updated: 2026-04-27T14:02:31.462Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23451

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:31.460

Modified: 2026-04-27T14:16:33.723

Link: CVE-2026-23451

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23451 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T09:00:06Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object