CVE-2026-43234

Source
https://cve.org/CVERecord?id=CVE-2026-43234
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43234.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43234
Downstream
Related
Published
2026-05-06T11:28:30.212Z
Modified
2026-07-15T01:49:15.374792279Z
Summary
team: avoid NETDEV_CHANGEMTU event when unregistering slave
Details

In the Linux kernel, the following vulnerability has been resolved:

team: avoid NETDEV_CHANGEMTU event when unregistering slave

syzbot is reporting

unregisternetdevice: waiting for netdevsim0 to become free. Usage count = 3 reftracker: netdev@ffff88807dcf8618 has 1/2 users at __netdevtrackeralloc include/linux/netdevice.h:4400 [inline] netdevhold include/linux/netdevice.h:4429 [inline] inetdevinit+0x201/0x4e0 net/ipv4/devinet.c:286 inetdevevent+0x251/0x1610 net/ipv4/devinet.c:1600 notifiercallchain+0x19d/0x3a0 kernel/notifier.c:85 callnetdevicenotifiersmtu net/core/dev.c:2318 [inline] netifsetmtuext+0x5aa/0x800 net/core/dev.c:9886 netifsetmtu+0xd7/0x1b0 net/core/dev.c:9907 devsetmtu+0x126/0x260 net/core/devapi.c:248 teamportdel+0xb07/0xcb0 drivers/net/team/teamcore.c:1333 teamdelslave drivers/net/team/teamcore.c:1936 [inline] teamdeviceevent+0x207/0x5b0 drivers/net/team/teamcore.c:2929 notifiercallchain+0x19d/0x3a0 kernel/notifier.c:85 callnetdevicenotifiersextack net/core/dev.c:2281 [inline] callnetdevicenotifiers net/core/dev.c:2295 [inline] __devchangenetnamespace+0xcb7/0x2050 net/core/dev.c:12592 dosetlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnlnewlink net/core/rtnetlink.c:3935 [inline] rtnlnewlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlinkrcvmsg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlinkrcvskb+0x232/0x4b0 net/netlink/afnetlink.c:2550 netlinkunicastkernel net/netlink/afnetlink.c:1318 [inline] netlinkunicast+0x80f/0x9b0 net/netlink/afnetlink.c:1344 netlinksendmsg+0x813/0xb40 net/netlink/afnetlink.c:1894

problem. Ido Schimmel found steps to reproduce

ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1

and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave").

Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__devsetmtu/__netifsetmtu/") also applied.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43234.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3d249d4ca7d0ed6629a135ea1ea21c72286c0d80
Fixed
bce42728ac4887060a24a585c5122fbd24939db7
Fixed
5268892de70f0b29bde341db863b234aa9259c08
Fixed
bb4c698633c0e19717586a6524a33196cff01a32

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43234.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43234.json"