Improper Access Control in Linux kernel - CVE-2026-23310
Published: March 25, 2026
Vulnerability identifier: #VU124537
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23310
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the bonding driver when changing the xmit_hash_policy to vlan+srcmac while an XDP program is loaded on a bond interface in 802.3ad or balance-xor mode. A local user can change the xmit_hash_policy to cause an inconsistent state, leading to failure in uninstalling the XDP program and triggering a kernel warning during bond device destruction.
The attacker must have the ability to configure bonding interface settings, which requires local access and privileges to modify network device parameters.
How to mitigate CVE-2026-23310
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e
- https://git.kernel.org/stable/c/479d589b40b836442bbdadc3fdb37f001bb67f26
- https://git.kernel.org/stable/c/5c262bd0e39320a6d6c8277cb8349ce21c01b8c1
- https://git.kernel.org/stable/c/d36ad7e126c6a0c5f699583309ccc37e3a3263ea
- https://git.kernel.org/stable/c/e85fa809e507b9d8eff4840888b8c727e4e8448c