CVE-2026-53069

Source
https://cve.org/CVERecord?id=CVE-2026-53069
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53069.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53069
Downstream
Published
2026-06-24T16:30:10.930Z
Modified
2026-07-16T03:31:17.755500893Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
Details

In the Linux kernel, the following vulnerability has been resolved:

net, bpf: fix null-ptr-deref in xdpmasterredirect() for down master

syzkaller reported a kernel panic in bondrrgenslaveid() reached via xdpmasterredirect(). Full decoded trace:

https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73

bondrrgenslaveid() dereferences bond->rrtxcounter, a per-CPU counter that bonding only allocates in bondopen() when the mode is round-robin. If the bond device was never brought up, rrtx_counter stays NULL.

The XDP redirect path can still reach that code on a bond that was never opened: bpfmasterredirectenabledkey is a global static key, so as soon as any bond device has native XDP attached, the XDPTX -> xdpmasterredirect() interception is enabled for every slave system-wide. The path xdpmasterredirect() -> bondxdpgetxmitslave() -> bondxdpxmitroundrobinslaveget() -> bondrrgenslaveid() then runs against a bond that has no rrtxcounter and crashes.

Fix this in the generic xdpmasterredirect() by refusing to call into the master's ->ndoxdpgetxmitslave() when the master device is not up. IFFUP is only set after ->ndoopen() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDPABORTED so the exception is visible via tracexdpexception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndoopen() is protected.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53069.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7
Fixed
3128b294b426533c8d9162187446d93a8a160359
Fixed
acbf45bd584d924b320bee2a7fe2a26f64904d95
Fixed
866d3d9b87751b1944168fd82615505e0c0fd6cf
Fixed
183128da0406b1c10e6f60b7b9fe70788b9c8c1d
Fixed
7bad93e99737e4a5c0c14ac50c05152cf4e28022
Fixed
ea690b3b6e58ae00979af8195b4cc24df466b65e
Fixed
1921f91298d1388a0bb9db8f83800c998b649cb3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53069.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53069.json"