HOMEVULNERABILITIESCVE-2026-23171
NONE

CVE-2026-23171

Published: February 14, 2026· Updated: Feb 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix use-after-free due to enslave fail after slave array update

Fix a use-after-free which happens due to enslave failure after the new

slave has been added to the array. Since the new slave can be used for Tx

immediately, we can use it after it has been freed by the enslave error

cleanup path which frees the allocated slave memory. Slave update array is

supposed to be called last when further enslave failures are not expected.

Move it after xdp setup to avoid any problems.

It is very easy to reproduce the problem with a simple xdp_pass prog:

ip l add bond1 type bond mode balance-xor

ip l set bond1 up

ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass

ip l add dumdum type dummy

Then run in parallel:

while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;

mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"

The crash happens almost immediately:

[ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI

[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]

[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)

[ 605.602979] Tainted: [B]=BAD_PAGE

[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014

[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210

[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89

[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213

[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000

[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be

[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c

[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000

[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84

[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000

[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0

[ 605.603373] Call Trace:

[ 605.603392] <TASK>

[ 605.603410] __dev_queue_xmit+0x448/0x32a0

[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10

[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10

[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10

[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]

[ 605.603546] ? _printk+0xcb/0x100

[ 605.603566] ? __pfx__printk+0x10/0x10

[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]

[ 605.603627] ? add_taint+0x5e/0x70

[ 605.603648] ? add_taint+0x2a/0x70

[ 605.603670] ? end_report.cold+0x51/0x75

[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]

[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]

NVD Source

Technical Analysis

CVE-2026-23171 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxDebianCanonical
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-23171
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedFeb 14, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23171 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.