Impact
A race condition exists between read and write accesses to the port->aggregator field in the 3ad mode of the Linux bonding driver because the field lacks proper RCU protection. The missing __rcu qualifier allows concurrent reads and writes that can corrupt kernel memory or leave the bonding state machine in an inconsistent state. This corruption can lead to unexpected kernel crashes or a loss of network connectivity, effectively causing a denial of service for the affected host.
Affected Systems
All Linux kernel versions that have not yet incorporated the commit adding the __rcu qualifier to. The exposed CPE indicates the issue spans every Linux kernel; the specific affected release numbers are not enumerated, so any system running a kernel older than the patch commit should be considered at risk.
Risk and Exploitability
The CVSS score of 7.8 and an EPSS score of < 1% indicate a high severity and a low probability of exploitation. The likely attack vector is inferred to via netlink commands, as kernel bonding state machine. Because the flaw resides in kernel space, exploitation would typically require root or elevated privileges; no public exploits are currently listed in the CISA KEV catalog. Given the high CVSS score, low EPSS, and privileged nature of the attack, the overall risk is considered medium, while environments using 3ad bonding should address it promptly.
OpenCVE Enrichment
Debian DLA
Debian DSA