{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23270", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-18T17:54:43.803Z", "dateUpdated": "2026-05-11T22:03:36.964Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:36.964Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it's still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/act_api.h", "net/sched/act_ct.c", "net/sched/cls_api.c"], "versions": [{"version": "172ba7d46c202e679f3ccb10264c67416aaeb1c4", "lessThan": "bc4e5bb529823a09f02dbe96169de679a9db26e0", "status": "affected", "versionType": "git"}, {"version": "0b5b831122fc3789fff75be433ba3e4dd7b779d4", "lessThan": "fb3c380a54e33d1fd272cc342faa906d787d7ef1", "status": "affected", "versionType": "git"}, {"version": "73f7da5fd124f2cda9161e2e46114915e6e82e97", "lessThan": "5a110ddcc99bda77a28598b3555fe009eaab3828", "status": "affected", "versionType": "git"}, {"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6", "lessThan": "524ce8b4ea8f64900b6c52b6a28df74f6bc0801e", "status": "affected", "versionType": "git"}, {"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6", "lessThan": "380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6", "status": "affected", "versionType": "git"}, {"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6", "lessThan": "9deda0fcda5c1f388c5e279541850b71a2ccfcf4", "status": "affected", "versionType": "git"}, {"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6", "lessThan": "11cb63b0d1a0685e0831ae3c77223e002ef18189", "status": "affected", "versionType": "git"}, {"version": "f5346df0591d10bc948761ca854b1fae6d2ef441", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/act_api.h", "net/sched/act_ct.c", "net/sched/cls_api.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.148", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.75", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.14", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0"}, {"url": "https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1"}, {"url": "https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828"}, {"url": "https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e"}, {"url": "https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6"}, {"url": "https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4"}, {"url": "https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189"}], "title": "net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it's still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: Solo permitir que act_ct se vincule a qdiscs clsact/de entrada y bloques compartidos\n\nComo Paolo dijo anteriormente [1]:\n\n'Desde el commit culpado a continuaci\u00f3n, classify puede devolver TC_ACT_CONSUMED mientras el skb actual est\u00e1 siendo retenido por el motor de desfragmentaci\u00f3n. Seg\u00fan lo informado por GangMin Kim, si dicho paquete es uno que puede causar un UaF cuando el motor de desfragmentaci\u00f3n m\u00e1s tarde intente tocar de nuevo dicho paquete.'\n\nact_ct nunca estuvo destinado a ser usado en la ruta de salida, sin embargo, algunos usuarios lo est\u00e1n adjuntando a la salida hoy [2]. Intentando llegar a un punto intermedio, notamos que, mientras que la mayor\u00eda de los qdiscs no est\u00e1n manejando TC_ACT_CONSUMED, los qdiscs clsact/de entrada s\u00ed lo est\u00e1n. Con eso en mente, abordamos el problema permitiendo solo que act_ct se vincule a qdiscs clsact/de entrada y bloques compartidos. De esa manera, todav\u00eda es posible adjuntar act_ct a la salida (aunque solo con clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/"}], "id": "CVE-2026-23270", "lastModified": "2026-04-18T09:16:15.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-18T18:16:26.053", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks", "id": "2448745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448745"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["No description is available for this CVE."], "name": "CVE-2026-23270", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23270\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23270\nhttps://lore.kernel.org/linux-cve-announce/2026031847-CVE-2026-23270-cb9a@gregkh/T"], "statement": "A use after free risk exists in the traffic control act_ct path when it is attached to non ingress egress qdiscs. In this configuration classify can return TC_ACT_CONSUMED while the skb is still held by the defragmentation engine. That can result in the skb being consumed and later accessed again by defragmentation which may lead to a kernel crash. Impact is denial of service in the common case, but keeping in mind that a kernel UAF could be exploitable for privilege escalation in some cases. The bug could happen only if some specific configuration being used (when tc/action being used and if the act_ct linked to incorrect qdisc/block), and in some cases regular user (is with some privileges) can make such configuration.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3f14b377d01d8357eba032b4cabc8c1149b458b6,524ce8b4ea8f64900b6c52b6a28df74f6bc0801e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3f14b377d01d8357eba032b4cabc8c1149b458b6,380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3f14b377d01d8357eba032b4cabc8c1149b458b6,9deda0fcda5c1f388c5e279541850b71a2ccfcf4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3f14b377d01d8357eba032b4cabc8c1149b458b6,11cb63b0d1a0685e0831ae3c77223e002ef18189)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "172ba7d46c202e679f3ccb10264c67416aaeb1c4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "0b5b831122fc3789fff75be433ba3e4dd7b779d4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "73f7da5fd124f2cda9161e2e46114915e6e82e97"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f5346df0591d10bc948761ca854b1fae6d2ef441"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.8,6.20.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T16:47:16.325745+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that incorporates the act_ct binding restriction patch.", "Verify that act_ct is only attached to clsact or ingress qdiscs; reconfigure any egress attachments that use other qdiscs to clsact.", "Monitor kernel logs (e.g., dmesg) for crashes related to act_ct and investigate immediately.", "If update is not possible, consider disabling act_ct from egress paths until a patched kernel is available."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The vulnerability resides in the Linux kernel and affects any system running a kernel version that contains the original act_ct implementation before the fix. All kernels before the patch that allows act_ct to bind only to clsact or ingress qdiscs are vulnerable, irrespective of vendor or distribution.", "description_and_impact": "The act_ct classifier in the Linux kernel has a use\u2011after\u2011free bug that can be triggered when it consumes a packet still protected by the defragmentation engine. The kernel may later dereference this packet\u2019s socket buffer, leading to a crash. This memory corruption causes denial of service and can give a privileged attacker a foothold for further exploitation.", "risk_and_exploitability": "With a CVSS score of 7.8, the flaw is high severity, but the EPSS score is below 1%, indicating a low probability of exploitation in practice. It is not cataloged in CISA\u2019s KEV list. Exploitation requires an attacker with local or privileged access able to configure networking classes, making this risk most pertinent to administrators who deploy act_ct in egress paths."}}}}, "created": "2026-03-19T08:55:48.729801+00:00", "updated": "2026-04-02T20:23:25.947740+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}