CVE-2026-23270 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators using tc/traffic-control configurations with act_ct, especially on systems where local users can influence qdisc or filter setup. Security teams should treat this as a kernel memory-corruption issue with local exploitation potential.

Technical summary

Per the supplied kernel description, act_ct was not intended for the egress path, but some deployments attached it there. The fix narrows where act_ct may bind: only clsact/ingress qdiscs and shared blocks are allowed. This matters because classify can return TC_ACT_CONSUMED while the current skb is still owned by the defragmentation engine; if that skb is touched again later, a use-after-free may occur. The official CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, consistent with a local, low-privilege, high-impact kernel issue.

Defensive priority

High. The CVSS 7.8 rating and high confidentiality/integrity/availability impact make this a priority kernel fix, especially for hosts using tc with act_ct. Update to kernels containing the restriction and review any non-clsact act_ct deployments.

Recommended defensive actions

• Apply the kernel update or backport that restricts act_ct to clsact/ingress qdiscs and shared blocks.
• Audit tc configurations for act_ct on non-clsact qdiscs or unexpected egress placements.
• Verify any automation or orchestration that creates traffic-control rules does not depend on unsupported act_ct bindings.
• Prioritize patching hosts where local users can influence network qdisc or filter configuration.
• Monitor vendor advisories and backport status for your kernel branch.

Evidence notes

The vulnerability description and fix scope come from the supplied CVE text. NVD metadata lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and references multiple kernel stable commit links. The NVD record was still marked 'Undergoing Analysis' at the supplied modified date.

Official resources