PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23204 Linux CVE debrief

A slab-out-of-bounds read vulnerability exists in the Linux kernel's `cls_u32` network traffic classifier. The `u32_classify()` function in `net/sched/cls_u32.c` uses `skb_header_pointer()`, which does not fully validate negative offset values. An attacker with local access can supply a crafted packet with a negative offset that bypasses validation, triggering a KASAN-detected out-of-bounds read in kernel memory. The vulnerability was reported and reproduced by GangMin Kim, demonstrating a slab-out-of-bounds condition at `u32_classify+0x1180/0x11b0`. The fix replaces `skb_header_pointer()` with `skb_header_pointer_careful()`, which properly validates negative offsets. This affects Linux kernel versions from 2.6.35.1 through 6.6.123, 6.7 through 6.12.69, 6.13 through 6.18.9, and selected 2.6.35 pre-release and 6.19 release candidate versions. The CVSS 3.1 vector indicates local attack vector, low attack complexity, low privileges required, no user interaction, with high impact to confidentiality and availability.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-14
Original CVE updated
2026-06-01
Advisory published
2026-02-14
Advisory updated
2026-06-01

Who should care

Linux system administrators, kernel maintainers, cloud infrastructure operators, and security teams managing container or VM hosts where unprivileged users may have access to network namespace or tc configuration capabilities

Technical summary

The cls_u32 network traffic classifier in the Linux kernel's traffic control (tc) subsystem uses skb_header_pointer() to access packet headers at programmer-specified offsets. This helper does not fully validate negative offset values, allowing a crafted packet or filter configuration to specify a negative offset that results in reading memory before the allocated skb data buffer. The vulnerability manifests as a slab-out-of-bounds read detected by KASAN in u32_classify() at net/sched/cls_u32.c:221. The fix introduces skb_header_pointer_careful(), which adds proper negative offset validation. Exploitation requires local access to configure tc filters or inject crafted packets through permitted interfaces. The vulnerability has high confidentiality and availability impact but no integrity impact per CVSS scoring.

Defensive priority

high

Recommended defensive actions

  • Apply upstream stable kernel patches that replace skb_header_pointer() with skb_header_pointer_careful() in net/sched/cls_u32.c
  • Prioritize patching systems running affected kernel versions: 2.6.35.1 through 6.6.123, 6.7 through 6.12.69, 6.13 through 6.18.9, and 6.19-rc kernels
  • Restrict unprivileged user namespaces and network configuration capabilities where cls_u32 classifiers are deployed
  • Monitor for kernel KASAN/slab-out-of-bounds alerts in system logs as potential exploitation indicators
  • Validate that local attack surface for network queueing disciplines (tc/qdisc) is limited to trusted administrative users

Evidence notes

CVE description confirms vulnerability in net/sched/cls_u32.c at line 221. KASAN slab-out-of-bounds report reproduced by GangMin Kim. NVD CPE criteria specify affected kernel version ranges. Multiple stable kernel patches referenced via git.kernel.org. CVSS 3.1 score of 7.1 (HIGH) with AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H vector. CWE-125 (Out-of-bounds Read) assigned by NVD.

Official resources

2026-02-14