lapbeth_data_transmit() expects the underlying network device type to be ARPHRD_ETHER; if it receives a different type during a NETDEV_PRE_TYPE_CHANGE event, the driver may operate on incorrect assumptions. The patch adds NOTIFY_BAD handling so that the bonding driver preserves the Ethernet expectation. While the CVE description does not explicitly state a crash, the unpatched logic could misconfigure the lapbether driver, leading to network service disruption or a denial of service.

The vulnerability is in the Linux kernel’s lapbether networking driver. All kernel builds that contain this driver, including the release candidates up to 7.0rc7 as reflected in the supplied CPE strings, are potentially affected. No specific version numbers for the patch are listed, so any system running a kernel that includes the unpatched lapbether code should be considered vulnerable.

The CVSS score of 5.5 indicates moderate severity for a kernel‑level flaw that could affect network operations. An EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to trigger a NETDEV_PRE_TYPE_CHANGE event carrying a non‑Ethernet device type—something that can be achieved by altering bonding configurations or adding a non‑Ethernet interface—which could then cause the lapbether driver to behave inconsistently and potentially disrupt network services.