CVE-2026-23204
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < 66e4b63d61c15de6ca5332d9ca6db59a404d7136 | affected |
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < 29681ed51e737be14d18ecd1c304c57002e4b72c | affected |
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < cfa745830e45ecb75c061aa34330ee0cac941cc7 | affected |
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 | affected |
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < e41a23e61259f5526af875c3b86b3d42a9bae0e5 | affected |
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < 8a672f177ebe19c93d795fbe967846084fbc7943 | affected |
| Linux | Linux | fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d < cabd1a976375780dabab888784e356f574bbaed8 | affected |
| Linux | Linux | 2.6.35 | affected |
| Linux | Linux | 0 < 2.6.35 | unaffected |
| Linux | Linux | 5.10.260 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.167 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.124 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.70 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.10 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/66e4b63d61c15de6ca5332d9ca6db59a404d7136
- https://git.kernel.org/stable/c/29681ed51e737be14d18ecd1c304c57002e4b72c
- https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7
- https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5
- https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5
- https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943
- https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.