HOMEVULNERABILITIESCVE-2026-53069
HIGH

CVE-2026-53069

Published: June 24, 2026· Updated: Jun 28, 2026

7.5
CVSS v3.1
EPSS:0.16%probability of exploitation in 30 daysPercentile:5.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via

xdp_master_redirect(). Full decoded trace:

https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73

bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU

counter that bonding only allocates in bond_open() when the mode is

round-robin. If the bond device was never brought up, rr_tx_counter

stays NULL.

The XDP redirect path can still reach that code on a bond that was

never opened: bpf_master_redirect_enabled_key is a global static key,

so as soon as any bond device has native XDP attached, the

XDP_TX -> xdp_master_redirect() interception is enabled for every

slave system-wide. The path xdp_master_redirect() ->

bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() ->

bond_rr_gen_slave_id() then runs against a bond that has no

rr_tx_counter and crashes.

Fix this in the generic xdp_master_redirect() by refusing to call into

the master's ->ndo_xdp_get_xmit_slave() when the master device is not

up. IFF_UP is only set after ->ndo_open() has successfully returned,

so this reliably excludes masters whose XDP state has not been fully

initialized. Drop the frame with XDP_ABORTED so the exception is

visible via trace_xdp_exception() rather than silently falling through.

This is not specific to bonding: any current or future master that

defers XDP state allocation to ->ndo_open() is protected.

NVD Source

Technical Analysis

CVE-2026-53069 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (7)

Quick Facts

CVE IDCVE-2026-53069
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.16%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53069 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.