The vulnerability in the Linux kernel stems from a null pointer dereference in the XDP redirect path when a bond device that has never been opened is used. When a native XDP program is attached to any bond interface, the global interception key is set, causing the xdp_master_redirect() path to eventually call bond_rr_gen_slave_id() on that inactive bond. Because bond_open() never allocated the rr_tx_counter for round‑robin bonded interfaces, the dereference triggers a kernel panic. This crash can be used to disrupt system operation, constituting a denial of service. The flaw does not provide remote code execution or arbitrary privilege escalation, but it can terminate critical services running on the affected kernel.

Linux kernel releases prior to the patch that addressed the issue. All vendors distributing the Linux kernel are impacted because the fix is a kernel patch applied to the upstream source.

Relative risk appears high because a kernel panic disrupts entire system operation, which is a serious denial of service when the attacker can trigger it. No CVSS score is available, and the EPSS score is not provided in the CVE data, so the exact likelihood of exploitation cannot be quantified. The vulnerability has not been catalogued in the CISA KEV list, indicating that known exploit code is not publicly documented. The likely attack vector requires the ability to load a native XDP program or otherwise manipulate bond interface configuration. An attacker with local privileged rights can attach the XDP program or change bond settings, triggering the null pointer dereference when the bonded interface has never been brought up. Because the flaw only manifests when XDP is enabled on an inactive bond, exploitation requires a scenario where a bond device exists but has not yet been opened.