Description
In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix NULL pointer dereference in bond_do_ioctl()

In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:

slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;

The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.

This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.

Fix by moving the slave_dbg() call after the NULL check.
Published: 2026-07-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference in the Linux kernel bonding driver occurs when bond_do_ioctl() calls a debug routine on a slave device pointer before verifying that the pointer is non‑NULL. This unguarded dereference results in a kernel oops and a crash that can be triggered by any user space process that has CAP_NET_ADMIN capability. The flaw exemplifies a classic null‑pointer dereference weakness (CWE‑476) and causes a local denial‑of‑service by bringing down the kernel.

Affected Systems

All Linux kernel builds that include the generic bonding driver and expose the bonding ioctl interface are potentially vulnerable; no specific release or patch level is specified. The impact applies to all users of the bonding feature regardless of the particular distribution or kernel configuration.

Risk and Exploitability

The vulnerability is reachable locally from user space by invoking bonding ioctl commands such as SIOCBONDENSLAVE or SIOCBONDRELEASE with a non‑existent slave interface name. An attacker must possess CAP_NET_ADMIN privileges to initiate the exploit, so the attack vector is terrestrial and privileged. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the severity of a kernel crash means that, once executed, the DoS effect is immediate and complete. The risk is therefore moderate to high for systems that expose bonding ioctl and allow trusted users to manipulate bonding interfaces. The likely attack path therefore involves a local administrator or a compromised privileged process. Since no remote code execution is possible, the impact remains confined to local denial of service.

Generated by OpenCVE AI on July 1, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates the commit moving the debug call after the NULL check
  • Restrict the CAP_NET_ADMIN capability to trusted users or processes only
  • If an update cannot be applied, remove or disable bonding interfaces from the system

Generated by OpenCVE AI on July 1, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL pointer dereference in bond_do_ioctl() In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which can return NULL if the requested interface name does not exist. However, the subsequent slave_dbg() call is placed before the NULL check: slave_dev = __dev_get_by_name(net, ifr->ifr_slave); slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here if (!slave_dev) return -ENODEV; The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, (slave_dev)->name, ...) which unconditionally dereferences slave_dev->name before the NULL check is performed. This results in a NULL pointer dereference kernel oops when a user calls bonding ioctl (e.g. SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave interface name. This is reachable from userspace via the bonding ioctl interface with CAP_NET_ADMIN capability, making it a potential local denial-of-service vector. Fix by moving the slave_dbg() call after the NULL check.
Title net: bonding: fix NULL pointer dereference in bond_do_ioctl()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:19.046Z

Reserved: 2026-06-09T07:44:35.399Z

Link: CVE-2026-53337

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:30:16Z

Weaknesses