{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "enslavement of a non-Ethernet device (e.g., GRE) to a bond and traffic that triggers dev_hard_header()",
    "claimed_surface": "local_only",
    "expected_impact": "dos",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": "bond device with non-Ethernet slave (e.g., GRE) and traffic triggering dev_hard_header()",
    "required_entrypoint_kind": "local_kernel_runtime",
    "submission_reason": "ticket_derived_llm",
    "trigger_class": "local_execution",
    "upstream_verdicts": {
      "claim_extraction": {
        "confidence": "high",
        "model": "accounts/fireworks/models/kimi-k2p7-code",
        "reason": "Ticket describes a Linux kernel bonding driver bug where header_ops are inherited from a non-Ethernet slave (GRE), causing type confusion in netdev_priv() and kernel crashes when dev_hard_header() is called on the bond device. Reproduction uses local CLI commands (ip link) to configure network devices and trigger the vulnerable code path.",
        "source": "llm"
      }
    }
  },
  "latest_description": "## Summary\nThe Linux kernel bonding driver copies `header_ops` from a slave device to the bond device. If the slave is a non‑Ethernet device (e.g., GRE), the bond later calls `dev_hard_header()` with `header_ops` that expect the slave’s `netdev_priv()` layout, but receive the bond’s private data instead, leading to type confusion and kernel crashes.\n\n## Affected Package\n- **Package**: Linux kernel (bonding driver)\n- **Ecosystem**: linux\n- **Vulnerable versions**: Not specified in NVD; affected kernels prior to the listed fixes.\n\n## Details\n`bond_setup_by_slave()` assigns `bond_dev->header_ops = slave_dev->header_ops` without considering that many `header_ops` callbacks (e.g., `ipgre_header()` / `ip6gre_header()`) dereference `netdev_priv(dev)` and expect a device-specific private struct. When the bond device uses these callbacks, `netdev_priv()` returns `struct bonding` instead of the expected tunnel struct, causing type confusion and invalid memory access. The kernel can hit `BUG()` in `pskb_expand_head()` and crash (KASAN reports invalid opcode).\n\nFix: Introduce bonding-specific wrapper `bond_header_ops` that delegates to the active slave’s `header_ops` while using the slave device so `netdev_priv()` points to the correct private data. The fix is implemented in bonding driver commits listed below.\n\n## Reproduction Steps\n1. Build/run a kernel without the fix (bonding driver vulnerable).\n2. Create a dummy and GRE device, then enslave GRE to a bond:\n   ```bash\n   ip link add dummy0 type dummy\n   ip addr add 10.0.0.1/24 dev dummy0\n   ip link set dummy0 up\n\n   ip link add gre1 type gre local 10.0.0.1\n   ip link add bond1 type bond mode active-backup\n   ip link set gre1 master bond1\n   ip link set gre1 up\n   ip link set bond1 up\n\n   ip addr add fe80::1/64 dev bond1\n   ```\n3. Trigger traffic that causes `dev_hard_header()` to be called on `bond1`.\n\n## Expected vs Vulnerable Behavior\n- **Expected**: Bond device should safely build L2 headers using the active slave’s `header_ops` and private data.\n- **Vulnerable**: Type confusion in `header_ops` callbacks (e.g., `ipgre_header()`), leading to invalid memory access and kernel crash.\n\n## Indicators of Success\n- Kernel BUG/Oops similar to:\n  - `kernel BUG at net/core/skbuff.c:2306` in `pskb_expand_head()`\n  - Stack trace showing `ipgre_header()` / `dev_hard_header()`\n\n## References\n- https://nvd.nist.gov/vuln/detail/CVE-2026-43456\n- https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956\n- https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11\n- https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba\n- https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d",
  "product": "linux:linux kernel",
  "severity": "medium",
  "status": "open",
  "summary": "Linux kernel bonding can inherit header_ops from non‑Ethernet slaves (e.g., GRE), causing type confusion and kernel crashes when dev_hard_header() is invoked on the bond device.",
  "ticket_id": "CVE-2026-43456"
}