In the Linux kernel, the following vulnerability has been resolved:
net, bpf: fix null-ptr-deref in xdpmasterredirect() for down master
syzkaller reported a kernel panic in bondrrgenslaveid() reached via xdpmasterredirect(). Full decoded trace:
https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73
bondrrgenslaveid() dereferences bond->rrtxcounter, a per-CPU counter that bonding only allocates in bondopen() when the mode is round-robin. If the bond device was never brought up, rrtx_counter stays NULL.
The XDP redirect path can still reach that code on a bond that was never opened: bpfmasterredirectenabledkey is a global static key, so as soon as any bond device has native XDP attached, the XDPTX -> xdpmasterredirect() interception is enabled for every slave system-wide. The path xdpmasterredirect() -> bondxdpgetxmitslave() -> bondxdpxmitroundrobinslaveget() -> bondrrgenslaveid() then runs against a bond that has no rrtxcounter and crashes.
Fix this in the generic xdpmasterredirect() by refusing to call into the master's ->ndoxdpgetxmitslave() when the master device is not up. IFFUP is only set after ->ndoopen() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDPABORTED so the exception is visible via tracexdpexception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndoopen() is protected.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53069.json",
"cna_assigner": "Linux"
}