Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53069— net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

CVSS 7.5 · High EPSS 0.39% · P30

Affected Version Matrix 16

VendorProductVersion RangeStatus
LinuxLinux879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< 3128b294b426533c8d9162187446d93a8a160359affected
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< acbf45bd584d924b320bee2a7fe2a26f64904d95affected
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< 866d3d9b87751b1944168fd82615505e0c0fd6cfaffected
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< 183128da0406b1c10e6f60b7b9fe70788b9c8c1daffected
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< 7bad93e99737e4a5c0c14ac50c05152cf4e28022affected
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< ea690b3b6e58ae00979af8195b4cc24df466b65eaffected
879af96ffd72706c6e3278ea6b45b0b0e37ec5d7< 1921f91298d1388a0bb9db8f83800c998b649cb3affected
5.15affected
… +8 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53069

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via xdp_master_redirect(). Full decoded trace: https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73 bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU counter that bonding only allocates in bond_open() when the mode is round-robin. If the bond device was never brought up, rr_tx_counter stays NULL. The XDP redirect path can still reach that code on a bond that was never opened: bpf_master_redirect_enabled_key is a global static key, so as soon as any bond device has native XDP attached, the XDP_TX -> xdp_master_redirect() interception is enabled for every slave system-wide. The path xdp_master_redirect() -> bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() -> bond_rr_gen_slave_id() then runs against a bond that has no rr_tx_counter and crashes. Fix this in the generic xdp_master_redirect() by refusing to call into the master's ->ndo_xdp_get_xmit_slave() when the master device is not up. IFF_UP is only set after ->ndo_open() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDP_ABORTED so the exception is visible via trace_xdp_exception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndo_open() is protected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于在xdp_master_redirect()中对关闭的主设备处理不当,当bond设备未启动时rr_tx_counter为空指针,可能导致空指针取消引用的内核崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 879af96ffd72706c6e3278ea6b45b0b0e37ec5d7 ~ 3128b294b426533c8d9162187446d93a8a160359 -
LinuxLinux 5.15 -

II. Public POCs for CVE-2026-53069

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53069

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53069 (7)

Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total

CVE-2026-529829.8 CRITICALnet: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
CVE-2026-530469.8 CRITICALksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
CVE-2026-529559.8 CRITICALlibceph: Fix potential out-of-bounds access in crush_decode()
CVE-2026-530459.8 CRITICALmemory: tegra124-emc: Fix dll_change check
CVE-2026-530499.8 CRITICALgfs2: add some missing log locking
CVE-2026-530109.8 CRITICALksmbd: fix use-after-free in smb2_open during durable reconnect
CVE-2026-530889.8 CRITICALnet: bcmgenet: fix off-by-one in bcmgenet_put_txcb
CVE-2026-530069.8 CRITICALipv6: fix possible UAF in icmpv6_rcv()
CVE-2026-530559.8 CRITICALcrypto: hisilicon/sec2 - prevent req used-after-free for sec
CVE-2026-530029.8 CRITICALnetfilter: conntrack: remove sprintf usage
CVE-2026-530869.8 CRITICALnet: bcmgenet: fix racing timeout handler
CVE-2026-529149.8 CRITICALbatman-adv: fix fragment reassembly length accounting
CVE-2026-529939.8 CRITICALtipc: fix double-free in tipc_buf_append()
CVE-2026-529319.8 CRITICALbatman-adv: tp_meter: avoid use of uninit sender vars
CVE-2026-529899.8 CRITICALnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
CVE-2026-529249.8 CRITICALsctp: purge outqueue on stale COOKIE-ECHO handling
CVE-2026-529869.8 CRITICALnetfilter: nf_conntrack_sip: don't use simple_strtoul
CVE-2026-529999.1 CRITICALnetfilter: nfnetlink_osf: fix out-of-bounds read on option matching
CVE-2026-529589.1 CRITICALlibceph: Fix potential out-of-bounds access in osdmap_decode()
CVE-2026-530439.1 CRITICALocfs2/dlm: validate qr_numregions in dlm_match_regions()

Showing top 20 of 219 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53069

No comments yet


Leave a comment