Impact
This vulnerability in the Linux kernel arises from a null pointer dereference in the XDP redirect path when a bonding interface that has never been brought up is used. Attaching a native XDP program to any bond device enables a global interception key that causes the redirect logic to call bond_rr_gen_slave_id() on the uninitialized bond, dereferencing a NULL rr_tx_counter and causing a kernel panic. The crash can be triggered by loading an XDP program or manipulating bond configuration, leading to a denial of service without providing remote code execution or privilege escalation.
Affected Systems
Linux kernel releases prior to the patch that addressed the issue. All vendors distributing the Linux kernel are impacted because the fix is a kernel patch applied to the upstream source.
Risk and Exploitability
The risk appears substantial because a kernel panic halts system operation, and the CVSS score of 7.5 indicates high severity. The EPSS score is reported as < 1%, indicating a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly documented exploit code exists. The likely attack vector requires the ability to load a native XDP program or manipulate bond interface configuration, which typically requires local privileged access.
OpenCVE Enrichment
Debian DLA