{ "threat_severity" : "Moderate", "public_date" : "2026-02-14T00:00:00Z", "bugzilla" : { "description" : "kernel: net/sched: cls_u32: use skb_header_pointer_careful()", "id" : "2439931", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439931" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-1285", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: cls_u32: use skb_header_pointer_careful()\nskb_header_pointer() does not fully validate negative @offset values.\nUse skb_header_pointer_careful() instead.\nGangMin Kim provided a report and a repro fooling u32_classify():\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221" ], "statement" : "An out of bounds memory access vulnerability exists in the Linux traffic control u32 classifier implementation. In u32_classify the kernel calculates offsets such as toff using key off values masks and variable offsets and then dereferences packet data using skb_header_pointer. The helper skb_header_pointer does not fully validate negative offset values. With a crafted configuration and packet layout the computed offset can become negative or otherwise invalid in a way that bypasses the existing checks and results in an out of bounds access. The most direct impact is a kernel crash causing a denial of service. Because the access pattern involves reading packet data at attacker influenced offsets it may also allow information disclosure of adjacent kernel memory and in worst cases could contribute to privilege escalation chains. Exploitation prerequisites depend on whether the system has tc u32 filters configured on a traffic path. For the CVSS the base score uses PR:L because configuring tc filters typically requires elevated privileges but can be available in containers or network namespaces with CAP_NET_ADMIN.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-06T00:00:00Z", "advisory" : "RHSA-2026:6632", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.49.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6036", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.115.1.rt7.456.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6037", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.115.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6153", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.45.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6153", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.45.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23204\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23204\nhttps://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23204-be85@gregkh/T" ], "name" : "CVE-2026-23204", "csaw" : false }