Description
In the Linux kernel, the following vulnerability has been resolved:

team: fix header_ops type confusion with non-Ethernet ports

Similar to commit 950803f72547 ("bonding: fix type confusion in
bond_setup_by_slave()") team has the same class of header_ops type
confusion.

For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops
directly. When the team device later calls dev_hard_header() or
dev_parse_header(), these callbacks can run with the team net_device
instead of the real lower device, so netdev_priv(dev) is interpreted as
the wrong private type and can crash.

The syzbot report shows a crash in bond_header_create(), but the root
cause is in team: the topology is gre -> bond -> team, and team calls
the inherited header_ops with its own net_device instead of the lower
device, so bond_header_create() receives a team device and interprets
netdev_priv() as bonding private data, causing a type confusion crash.

Fix this by introducing team header_ops wrappers for create/parse,
selecting a team port under RCU, and calling the lower device callbacks
with port->dev, so each callback always sees the correct net_device
context.

Also pass the selected lower device to the lower parse callback, so
recursion is bounded in stacked non-Ethernet topologies and parse
callbacks always run with the correct device context.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the Linux kernel is a type confusion flaw that occurs when a team network device, configured on a non‑Ethernet port, copies the port’s header_ops directly. When the team device later calls dev_hard_header or dev_parse_header, the wrong private data is interpreted as belonging to the team device, leading to a kernel crash. The crash is triggered by a misguided call to the bonding stack where the lower device’s header_ops receives a team device context, causing an incorrect netdev_priv interpretation and a type confusion fault.

Affected Systems

All Linux kernel implementations that include the team networking framework are affected; no specific kernel version range is listed, so any kernel before the commit that introduced the fix is potentially vulnerable.

Risk and Exploitability

The EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog, indicating limited publicly known exploitation. Based on the description, it is inferred that an attacker could trigger the bug by sending crafted network traffic to a team device configured on a non‑Ethernet port, potentially allowing a remote attacker to induce a kernel panic and disrupt service. The CVSS score of 7.8 reflects the high‑severity potential for denial of service due to a kernel crash.

Generated by OpenCVE AI on April 28, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit introducing team header_ops wrappers for create and parse callbacks.
  • Ensure that the system is not running older kernels that were compiled before the fix was applied.
  • If the team networking functionality is unnecessary, disable or remove team network devices to eliminate the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-20

Tue, 28 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:3.7:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-20

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash. The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash. Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context. Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context.
Title team: fix header_ops type confusion with non-Ethernet ports
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:58.951Z

Reserved: 2026-03-09T15:48:24.104Z

Link: CVE-2026-31502

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:48.713

Modified: 2026-04-28T14:47:01.397

Link: CVE-2026-31502

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31502 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:00:14Z

Weaknesses