CVE-2026-52975

Source
https://cve.org/CVERecord?id=CVE-2026-52975
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52975.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52975
Downstream
Published
2026-06-24T16:28:52.514Z
Modified
2026-07-08T08:09:44.865972819Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
bonding: 3ad: implement proper RCU rules for port->aggregator
Details

In the Linux kernel, the following vulnerability has been resolved:

bonding: 3ad: implement proper RCU rules for port->aggregator

syzbot found a data-race in bond3adgetactiveagginfo / bond3adstatemachine_handler [1] which hints at lack of proper RCU implementation.

Add __rcu qualifier to port->aggregator, and add proper RCU API.

[1]

BUG: KCSAN: data-race in bond3adgetactiveagginfo / bond3adstatemachine_handler

write to 0xffff88813cf5c4b0 of 8 bytes by task 36 on cpu 0: adportselectionlogic drivers/net/bonding/bond3ad.c:1659 [inline] bond3adstatemachinehandler+0x9d5/0x2d60 drivers/net/bonding/bond3ad.c:2569 processonework kernel/workqueue.c:3302 [inline] processscheduledworks+0x4f0/0x9c0 kernel/workqueue.c:3385 workerthread+0x58a/0x780 kernel/workqueue.c:3466 kthread+0x22a/0x280 kernel/kthread.c:436 retfromfork+0x146/0x330 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:245

read to 0xffff88813cf5c4b0 of 8 bytes by task 22063 on cpu 1: __bond3adgetactiveagginfo drivers/net/bonding/bond3ad.c:2858 [inline] bond3adgetactiveagginfo+0x8c/0x230 drivers/net/bonding/bond3ad.c:2881 bondfillinfo+0xe0f/0x10f0 drivers/net/bonding/bondnetlink.c:853 rtnllinkinfofill net/core/rtnetlink.c:906 [inline] rtnllinkfill+0x1d7/0x4e0 net/core/rtnetlink.c:927 rtnlfillifinfo+0xf8e/0x1380 net/core/rtnetlink.c:2168 rtmsgifinfobuildskb+0x11c/0x1b0 net/core/rtnetlink.c:4453 rtmsgifinfoevent net/core/rtnetlink.c:4486 [inline] rtmsgifinfo+0x6d/0x110 net/core/rtnetlink.c:4495 __devnotifyflags+0x76/0x390 net/core/dev.c:9790 netifchangeflags+0xac/0xd0 net/core/dev.c:9823 dosetlink+0x905/0x2950 net/core/rtnetlink.c:3180 rtnlgroup_changelink net/core/rtnetlink.c:3813 [inline] __rtnlnewlink net/core/rtnetlink.c:3981 [inline] rtnlnewlink+0xf55/0x1400 net/core/rtnetlink.c:4109 rtnetlinkrcvmsg+0x64b/0x720 net/core/rtnetlink.c:6995 netlinkrcvskb+0x123/0x220 net/netlink/afnetlink.c:2550 rtnetlinkrcv+0x1c/0x30 net/core/rtnetlink.c:7022 netlinkunicastkernel net/netlink/afnetlink.c:1318 [inline] netlinkunicast+0x5a8/0x680 net/netlink/afnetlink.c:1344 netlinksendmsg+0x5c8/0x6f0 net/netlink/afnetlink.c:1894 socksendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg net/socket.c:802 [inline] ____sys_sendmsg+0x563/0x5b0 net/socket.c:2698 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2752 __sys_sendmsg net/socket.c:2784 [inline] __dosyssendmsg net/socket.c:2789 [inline] __sesyssendmsg net/socket.c:2787 [inline] _x64syssendmsg+0xd4/0x160 net/socket.c:2787 x64syscall+0x194c/0x3020 arch/x86/include/generated/asm/syscalls64.h:47 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0x12c/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f

value changed: 0x0000000000000000 -> 0xffff88813cf5c400

Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 22063 Comm: syz.0.31122 Tainted: G W syzkaller #0 PREEMPT(full) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52975.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
47e91f56008b43e1365e8d1d4a6813fe8a33b6f6
Fixed
ba2272be04f0cb1e74e1e355ff32ef95df280731
Fixed
3b7265b3a82f40d2357c4004b26eb794a095b186
Fixed
5fb9ea4e8ebf514d92df2b6c9d0db25ba02ac735
Fixed
c169c5837525ad842df6a542facf52b6f866a519
Fixed
78f409fd34fe9de2b24ad8e9dca1b4608a48ed3d
Fixed
c4f050ce06c56cfb5993268af4a5cb66ed1cd04e

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52975.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.13.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.95
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52975.json"