[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2026-31419":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T20:55:29.923Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2026-31419","In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  \u003CTASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  \u003C/TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",null,[],[],[],[14],{"_key":15},"CVE-2026-31419",[],[],[],"2026-04-13T14:16:11.447Z","2026-05-08T17:00:21.521747Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2026-31419",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[40],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,50,51,52,53,57],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":54,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":55,"version_end_type":56,"fixed_in":9},"lt6_12_86_1","6.12.86-1","excluding",{"version":58,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":59,"version_end_type":56,"fixed_in":9},"lt6_19_12_1","6.19.12-1"]