19+ Years Hidden, $80,000+ Rewarded: Reporting a Linux Kernel Zero-Day for Google kernelCTF: CVE-2026-43456
Summary
Two researchers reported CVE-2026-43456, a Linux kernel vulnerability in net/bonding that remained undiscovered for 19 years and can be exploited with high reliability. The post details the root cause, exploit approach, and a Google kernelCTF bug bounty award over $80k. It also covers mitigations and the broader implications for kernel security and patch timelines.