Infinite loop in Linux kernel - CVE-2026-23451
Published: April 6, 2026
Vulnerability identifier: #VU124919
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23451
CWE-ID: CWE-835
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in bond_header_parse() when parsing packet headers in a stack of two bonding devices. A local attacker can trigger packet processing in this configuration to cause a denial of service.
The issue occurs because device recursion can remain bounded to the hierarchy top, leading to repeated parsing instead of reaching the final leaf parse method.
How to mitigate CVE-2026-23451
Install security update from vendor's repository.