{
  "entrypoint_kind": "local_kernel_runtime",
  "entrypoint_detail": "QEMU x86_64 VM (TCG) booting Linux 7.0.0-rc2 (commit e3f5e0f22, parent of upstream fix 950803f7) with an Ubuntu rootfs; /init runs iproute2 bond/gre setup, loads populate_hlen.ko (writes 0x961a63cc into netdev_priv(bond1).ip_tunnel.hlen), then AF_PACKET SOCK_DGRAM sendto on bond1 to invoke dev_hard_header(bond1)->ipgre_header(bond1)->pskb_expand_head()->BUG_ON(nhead<0)->panic",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "qemu-system-x86_64",
    "linux-7.0.0-rc2-vuln(e3f5e0f22,KASAN)",
    "linux-7.0.0-rc2-fixed(bonding.ko swap)",
    "bonding",
    "ip_gre",
    "populate_hlen",
    "init/bond_repro_init"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/qemu_vuln_7rc2.log",
    "logs/qemu_fixed_7rc2.log"
  ],
  "notes": "VULN kernel: populate_hlen wrote 0x961a63cc into the confused ip_tunnel.hlen field of netdev_priv(bond1); ipgre_header then ran with dev=bond1 (type confusion: netdev_priv(bond)=struct bonding read as struct ip_tunnel) and hlen=0x961a63cc, so needed=hlen+20 overflowed to a negative int and pskb_expand_head() hit BUG_ON(nhead<0) => kernel panic (DoS), matching the reporter's Oops (nhead=0x961a63e0). FIXED kernel (bond_header_ops): ipgre_header ran with dev=gre1 (correct slave), hlen=4, no crash, RESULT NOT VULNERABLE. dos_confirmed=true type_confusion_differential=true. vuln_hdr=[CVE-2026-43456 ipgre_header: dev=bond1 hlen=0 needed=20 headroom=160] fixed_hdr=[CVE-2026-43456 ipgre_header: dev=gre1 hlen=4 needed=24 headroom=160]"
}