HOMEVULNERABILITIESCVE-2026-31546
MEDIUM

CVE-2026-31546

Published: April 24, 2026· Updated: Apr 28, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix NULL deref in bond_debug_rlb_hash_show

rlb_clear_slave intentionally keeps RLB hash-table entries on

the rx_hashtbl_used_head list with slave set to NULL when no

replacement slave is available. However, bond_debug_rlb_hash_show

visites client_info->slave without checking if it's NULL.

Other used-list iterators in bond_alb.c already handle this NULL-slave

state safely:

- rlb_update_client returns early on !client_info->slave

- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance

compare slave values before visiting

- lb_req_update_subnet_clients continues if slave is NULL

The following NULL deref crash can be trigger in

bond_debug_rlb_hash_show:

[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000

[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)

[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286

[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204

[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078

[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000

[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0

[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8

[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000

[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0

[ 1.295897] Call Trace:

[ 1.296134] seq_read_iter (fs/seq_file.c:231)

[ 1.296341] seq_read (fs/seq_file.c:164)

[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))

[ 1.296658] vfs_read (fs/read_write.c:572)

[ 1.296981] ksys_read (fs/read_write.c:717)

[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))

[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Add a NULL check and print "(none)" for entries with no assigned slave.

NVD Source

Technical Analysis

CVE-2026-31546 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (8)

Quick Facts

CVE IDCVE-2026-31546
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31546 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.