CVE-2026-31502

Source
https://cve.org/CVERecord?id=CVE-2026-31502
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31502.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31502
Downstream
Related
Published
2026-04-22T13:54:22.481Z
Modified
2026-07-09T18:31:33.838262215Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
team: fix header_ops type confusion with non-Ethernet ports
Details

In the Linux kernel, the following vulnerability has been resolved:

team: fix header_ops type confusion with non-Ethernet ports

Similar to commit 950803f72547 ("bonding: fix type confusion in bondsetupbyslave()") team has the same class of headerops type confusion.

For non-Ethernet ports, teamsetupbyport() copies portdev->headerops directly. When the team device later calls devhardheader() or devparseheader(), these callbacks can run with the team netdevice instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash.

The syzbot report shows a crash in bondheadercreate(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited headerops with its own netdevice instead of the lower device, so bondheadercreate() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash.

Fix this by introducing team headerops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct netdevice context.

Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31502.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1d76efe1577b4323609b1bcbfafa8b731eda071a
Fixed
6d3161fa3eee64d46b766fb0db33ec7f300ef52d
Fixed
0a7468ed49a6b65d34abcc6eb60e15f7f6d34da0
Fixed
20491d384d973a63fbdaf7a71e38d69b0659ea55
Fixed
425000dbf17373a4ab8be9428f5dc055ef870a56

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31502.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.7.0
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31502.json"