CVE-2026-43456

HIGHNVD 7.87.8
EchelonGraph scoreMEDIUM confidence

Score 7.8 from GitHub Security Advisory (severity: HIGH) published 2026-05-08. NVD baseline CVSS 7.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix type confusion in bond_setup_by_slave()

kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9

When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave's header_ops to the bond device:

bond_dev->header_ops = slave_dev->header_ops;

This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond's private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes.

Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave's header_ops using the slave's own device. This ensures netdev_priv() in the slave's header functions always receives the correct device.

The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout.

The type confusion can be observed by adding a printk in ipgre_header() and running the following commands:

ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1

CVSS v3
7.8
EG Score
7.8(medium)
EPSS
5.3%
KEV
Not listed

Published

May 8, 2026

Last Modified

May 20, 2026

Advisory Details (4)

Auto-updated May 11, 2026
No patch confirmed yet.
generic

bonding: fix type confusion in bond_setup_by_slave() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d
generic

bonding: fix type confusion in bond_setup_by_slave() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba
generic

bonding: fix type confusion in bond_setup_by_slave() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11
generic

bonding: fix type confusion in bond_setup_by_slave() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956

Vendor Advisories for CVE-2026-43456(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 7× in last 7d / 51× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 134 total refreshes for this CVE.

  1. 2026-07-12 05:46 UTCEPSS rescore
  2. 2026-07-11 08:27 UTCEPSS rescore
  3. 2026-07-09 19:10 UTCEPSS rescore
  4. 2026-07-08 15:16 UTCEPSS rescore
  5. 2026-07-07 13:46 UTCEPSS rescore
  6. 2026-07-06 16:27 UTCEPSS rescore
  7. 2026-07-06 02:23 UTCEPSS rescore
  8. 2026-07-05 02:30 UTCEPSS rescore
  9. 2026-07-04 06:31 UTCEPSS rescore
  10. 2026-07-01 15:07 UTCEPSS rescore
  11. 2026-06-30 23:22 UTCEPSS rescore
  12. 2026-06-29 14:06 UTCEPSS rescore
  13. 2026-06-28 14:07 UTCEPSS rescore
  14. 2026-06-28 04:56 UTCEPSS rescore
  15. 2026-06-28 04:25 UTCEG score recompute
  16. 2026-06-28 04:25 UTCGHSA enrichment
  17. 2026-06-27 13:21 UTCEG score recompute
  18. 2026-06-27 13:21 UTCGHSA enrichment
  19. 2026-06-27 03:08 UTCEPSS rescore
  20. 2026-06-26 21:20 UTCEG score recompute
  21. 2026-06-26 21:20 UTCGHSA enrichment
  22. 2026-06-25 13:49 UTCEPSS rescore
  23. 2026-06-25 13:49 UTCEPSS rescore
  24. 2026-06-24 14:05 UTCEPSS rescore
  25. 2026-06-23 21:33 UTCEPSS rescore
Show 75 more
  1. 2026-06-22 14:25 UTCEPSS rescore
  2. 2026-06-22 14:25 UTCEPSS rescore
  3. 2026-06-21 14:56 UTCEPSS rescore
  4. 2026-06-21 14:56 UTCEPSS rescore
  5. 2026-06-21 01:59 UTCEPSS rescore
  6. 2026-06-19 19:25 UTCEPSS rescore
  7. 2026-06-18 17:52 UTCEPSS rescore
  8. 2026-06-18 17:52 UTCEPSS rescore
  9. 2026-06-17 17:53 UTCEPSS rescore
  10. 2026-06-17 01:28 UTCEG score recompute
  11. 2026-06-17 01:28 UTCGHSA enrichment
  12. 2026-06-16 17:52 UTCEPSS rescore
  13. 2026-06-16 08:08 UTCEG score recompute
  14. 2026-06-16 08:07 UTCGHSA enrichment
  15. 2026-06-15 17:49 UTCEPSS rescore
  16. 2026-06-15 02:25 UTCEG score recompute
  17. 2026-06-15 02:25 UTCGHSA enrichment
  18. 2026-06-14 14:50 UTCEG score recompute
  19. 2026-06-14 14:50 UTCGHSA enrichment
  20. 2026-06-14 02:35 UTCEG score recompute
  21. 2026-06-14 02:34 UTCGHSA enrichment
  22. 2026-06-13 23:00 UTCEPSS rescore
  23. 2026-06-12 23:12 UTCEPSS rescore
  24. 2026-06-12 23:12 UTCEPSS rescore
  25. 2026-06-12 23:07 UTCEG score recompute
  26. 2026-06-12 23:07 UTCGHSA enrichment
  27. 2026-06-12 11:26 UTCEG score recompute
  28. 2026-06-12 11:26 UTCGHSA enrichment
  29. 2026-06-11 23:50 UTCEG score recompute
  30. 2026-06-11 23:50 UTCGHSA enrichment
  31. 2026-06-11 14:00 UTCEPSS rescore
  32. 2026-06-11 12:15 UTCEG score recompute
  33. 2026-06-11 12:15 UTCGHSA enrichment
  34. 2026-06-11 00:30 UTCEG score recompute
  35. 2026-06-11 00:30 UTCGHSA enrichment
  36. 2026-06-10 22:18 UTCEPSS rescore
  37. 2026-06-10 13:22 UTCEPSS rescore
  38. 2026-06-10 13:22 UTCEPSS rescore
  39. 2026-06-10 12:55 UTCEG score recompute
  40. 2026-06-10 12:55 UTCGHSA enrichment
  41. 2026-06-10 01:20 UTCEG score recompute
  42. 2026-06-10 01:20 UTCGHSA enrichment
  43. 2026-06-09 13:44 UTCEG score recompute
  44. 2026-06-09 13:44 UTCGHSA enrichment
  45. 2026-06-09 02:09 UTCEG score recompute
  46. 2026-06-09 02:09 UTCGHSA enrichment
  47. 2026-06-08 14:17 UTCEPSS rescore
  48. 2026-06-08 14:17 UTCEPSS rescore
  49. 2026-06-08 13:36 UTCEG score recompute
  50. 2026-06-08 13:35 UTCGHSA enrichment
  51. 2026-06-08 02:01 UTCEG score recompute
  52. 2026-06-08 02:01 UTCGHSA enrichment
  53. 2026-06-07 15:25 UTCEPSS rescore
  54. 2026-06-07 15:25 UTCEPSS rescore
  55. 2026-06-07 14:26 UTCEG score recompute
  56. 2026-06-07 14:26 UTCGHSA enrichment
  57. 2026-06-07 02:51 UTCEG score recompute
  58. 2026-06-07 02:51 UTCGHSA enrichment
  59. 2026-06-06 15:16 UTCEG score recompute
  60. 2026-06-06 15:16 UTCGHSA enrichment
  61. 2026-06-06 13:47 UTCEPSS rescore
  62. 2026-06-06 13:47 UTCEPSS rescore
  63. 2026-06-06 03:40 UTCEG score recompute
  64. 2026-06-06 03:40 UTCGHSA enrichment
  65. 2026-06-05 22:47 UTCEPSS rescore
  66. 2026-06-05 16:05 UTCEG score recompute
  67. 2026-06-05 16:05 UTCGHSA enrichment
  68. 2026-06-05 06:10 UTCEPSS rescore
  69. 2026-06-05 06:10 UTCEPSS rescore
  70. 2026-06-05 04:29 UTCEG score recompute
  71. 2026-06-05 04:29 UTCGHSA enrichment
  72. 2026-06-04 16:53 UTCEG score recompute
  73. 2026-06-04 16:53 UTCGHSA enrichment
  74. 2026-06-04 13:12 UTCEPSS rescore
  75. 2026-06-04 13:12 UTCEPSS rescore

Frequently asked(5)

What is CVE-2026-43456?
CVE-2026-43456 is a high vulnerability published on May 8, 2026. In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bondsetupby_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskbexpandhead+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS:…
When was CVE-2026-43456 disclosed?
CVE-2026-43456 was first published in the National Vulnerability Database on May 8, 2026, with the most recent update on May 20, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-43456 actively exploited?
CVE-2026-43456 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 5.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-43456?
CVE-2026-43456 has a CVSS v3 base score of 7.8 (NVD).
How do I remediate CVE-2026-43456?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43456, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-43456

Explore →

Is Your Infrastructure Affected by CVE-2026-43456?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.