
A single line of code merged into the Linux kernel back in 2007 sat quietly for nearly two decades before anyone realized it could hand attackers a fast, near-guaranteed path to root. Tracked as CVE-2026-43456, the flaw touches every kernel release from 2.6.24 through 6.12.77 — effectively the entire modern history of Linux — and was only patched this past March.
The bug was uncovered by Yuki Koike and Kota Toda of GMO Cybersecurity by Ierae, who stumbled onto it while combing through a crash report generated by syzkaller, Google's kernel fuzzing tool.
What began as routine root-cause analysis turned into a lengthy technical dig that the pair says was meaningfully aided by AI, even back in its 2025 form. They packaged their findings into a working exploit and submitted it to Google's kernelCTF bug bounty program, walking away with more than $80,000 — one of the program's larger payouts to date.
The root cause sits in net/bonding, the kernel subsystem that lets several network interfaces act as one. When a device joins a "bond," a function called bond_setup_by_slave() copies over the slave device's header-handling logic without verifying that the bond's private memory layout actually matches it.
Pair a bond with a GRE (Generic Routing Encapsulation) tunnel interface, and that mismatch becomes a classic type confusion bug — the kernel reads and writes memory as if it belongs to an entirely different data structure.
From there, the researchers built a two-stage exploit: first, leaking a kernel function address to defeat KASLR (the kernel's address randomization defense), then precisely chaining 329 GRE interfaces to force a memory overlap that lets them flip a single flag and hijack a function pointer. The payoff is brutal in its consistency — full root access in under a second, succeeding more than 99% of the time.
Exploitation requires the CAP_NET_ADMIN privilege, which unprivileged users can often obtain through user namespaces — a detail that makes containerized and rootless environments especially worth a second look.
Update affected systems immediately. Where patching isn't possible right away, disable the bonding module (rmmod bonding) or set kernel.unprivileged_userns_clone to 0 — though the latter will also break features like rootless Docker.