Reporting a 19+ Years Hidden Linux Kernel Zero-Day for Google kernelCTF: CVE-2026-43456
7.6 relevance
Score Breakdown
technical depth 9
novelty 9
actionability 4
community 8
strategic 8
personal 7
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Major kernel zero-day disclosure; significant for security and infrastructure.
Summary
A type confusion vulnerability in the Linux kernel's net/bonding subsystem, introduced in 2007 and fixed in March 2026, remained exploitable for over 19 years. Assigned CVE-2026-43456, it allows unprivileged users with CAP_NET_ADMIN to achieve reliable privilege escalation within one second at over 99% success rate. The discoverers earned over $80,000 from Google's kernelCTF bug bounty for reporting the flaw, which affects kernels from 2.6.24 through 6.12.77.