{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23204", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:27.708Z", "dateUpdated": "2026-05-11T22:02:20.203Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:20.203Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_u32.c"], "versions": [{"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "cfa745830e45ecb75c061aa34330ee0cac941cc7", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "cabd1a976375780dabab888784e356f574bbaed8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_u32.c"], "versions": [{"version": "2.6.35", "status": "affected"}, {"version": "0", "lessThan": "2.6.35", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7"}, {"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"}, {"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"}, {"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"}, {"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"}], "title": "net/sched: cls_u32: use skb_header_pointer_careful()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDD3DE1F-BBB8-495C-81E8-5D36799A6116", "versionEndExcluding": "6.6.124", "versionStartIncluding": "2.6.35.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.35:-:*:*:*:*:*:*", "matchCriteriaId": "11B11B98-42CE-41C8-A40E-FAA230FD2A76", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.35:rc2:*:*:*:*:*:*", "matchCriteriaId": "EA4BC3D2-70FF-4EED-9DC8-B378F88F4D36", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.35:rc3:*:*:*:*:*:*", "matchCriteriaId": "A7ACC123-06D8-4A3F-8730-AA7FF6EFBD35", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.35:rc4:*:*:*:*:*:*", "matchCriteriaId": "3F6891F7-2B07-4A96-A0D6-AC528B7E0DD8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.35:rc5:*:*:*:*:*:*", "matchCriteriaId": "657BCE5D-DC8B-4BE2-AED8-BC52C738F999", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.35:rc6:*:*:*:*:*:*", "matchCriteriaId": "160E9402-241A-44AE-A92A-9629CA656F38", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: cls_u32: usar skb_header_pointer_careful()\n\nskb_header_pointer() no valida completamente los valores negativos de @offset.\n\nUsar skb_header_pointer_careful() en su lugar.\n\nGangMin Kim proporcion\u00f3 un informe y una reproducci\u00f3n enga\u00f1ando a u32_classify():\n\nBUG: KASAN: slab-out-of-bounds en u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"}], "id": "CVE-2026-23204", "lastModified": "2026-04-03T14:16:27.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:58.297", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/sched: cls_u32: use skb_header_pointer_careful()", "id": "2439931", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439931"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: cls_u32: use skb_header_pointer_careful()\nskb_header_pointer() does not fully validate negative @offset values.\nUse skb_header_pointer_careful() instead.\nGangMin Kim provided a report and a repro fooling u32_classify():\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"], "name": "CVE-2026-23204", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23204\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23204\nhttps://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23204-be85@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d,13336a6239b9d7c6e61483017bb8bdfe3ceb10a5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d,e41a23e61259f5526af875c3b86b3d42a9bae0e5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d,8a672f177ebe19c93d795fbe967846084fbc7943)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d,cabd1a976375780dabab888784e356f574bbaed8)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.35"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.35)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.124,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-16T00:42:45.573707+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel release that includes the patch replacing skb_header_pointer() with skb_header_pointer_careful()", "If an immediate kernel update is not feasible, disable or unload the cls_u32 module to eliminate the vulnerable code path", "Review and adjust any packet filtering rules or traffic classes that rely on u32 classification to remove or modify them"], "summary": {"action": "Patch", "impact": "Out-of-Bounds Read in Linux kernel net/sched: cls_u32 module"}, "threat_synthesis": {"affected_systems": "All currently released Linux kernel versions that include the u32 classifier are impacted. The CPE entries list a broad range of releases from early 2.6.35 release candidates through 6.19 release candidates (rc1\u2013rc8), and the vendor list indicates the generic Linux kernel in use. Any system operating a kernel that contains the indicated commit before the patch is vulnerable, regardless of distribution or patch level.", "description_and_impact": "The vulnerability resides in the Linux kernel\u2019s net/sched subsystem, specifically within the u32 classifier. The function skb_header_pointer() does not fully validate negative offset values, allowing the code to request packet header data from an out\u2011of\u2011bounds location. This flaw permits a kernel memory read outside its intended bounds, as demonstrated by the KASAN report when u32_classify() is invoked. The immediate consequence is potential information disclosure; leaking kernel memory contents could provide attackers with data useful for more advanced exploits, though it does not directly grant code execution. The weakness is classified as CWE\u2011125, Out\u2011of\u2011Bound Read.", "risk_and_exploitability": "The CVSS score of 7.1 signals moderate\u2011high severity. EPSS is very low (<1%), meaning wild exploitation is unlikely at present, and the vulnerability is not in the CISA KEV catalog. The attack vector is not explicitly described in the CVE data, but it is inferred that an attacker would need the ability to inject crafted packets that trigger the u32 classifier. This typically requires local or privileged access to the network stack, suggesting the vulnerability is more likely to be exploited from a local compromise or by a malicious process that can influence traffic processed by the cls_u32 module. Once triggered, the out\u2011of\u2011bounds read could leak sensitive kernel memory data, potentially aiding further attacks such as privilege escalation or sophisticated denial\u2011of\u2011service scenarios. The patch replaces skb_header_pointer() with skb_header_pointer_careful(), adding proper bounds checking and thereby eliminating the vulnerability."}}}}, "created": "2026-02-16T09:43:28.352729+00:00", "updated": "2026-04-16T00:45:15.974616+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}