CVE-2026-23204 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_u32: use skb_header_pointer_careful()

skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/02/2026

The vulnerability identified as CVE-2026-23204 resides within the Linux kernel's traffic control subsystem, specifically in the cls_u32 classifier module. This issue affects the network packet classification functionality that is fundamental to Quality of Service implementations and network traffic management. The vulnerability stems from improper handling of negative offset values during packet header processing, creating a potential pathway for memory corruption attacks that could compromise system integrity and stability. The flaw manifests in the u32_classify function which is responsible for classifying packets based on u32 (32-bit) matching rules within the traffic control framework.

The technical root cause involves the improper use of the skb_header_pointer() function which fails to adequately validate negative offset parameters during packet header access operations. This function, when provided with negative offset values, does not perform comprehensive bounds checking that would prevent access to memory locations outside the valid packet buffer boundaries. The vulnerability specifically occurs at line 221 in the net/sched/cls_u32.c file where the u32_classify function processes packet classification. The kernel's memory safety mechanism KASAN (Kernel Address Sanitizer) detected this issue as a slab-out-of-bounds error, indicating that the function accessed memory beyond the allocated buffer space. This type of vulnerability falls under the CWE-129 weakness category, which represents "Improper Validation of Array Index" and aligns with the ATT&CK technique T1059.001 for Command and Scripting Interpreter.

The operational impact of this vulnerability extends beyond simple memory corruption, as it could enable attackers to manipulate packet classification rules and potentially bypass network security controls. When exploited, the vulnerability may allow for privilege escalation or denial of service conditions that could affect network performance and system availability. The u32_classify function operates at a critical point in the network stack where packet processing occurs, making it a prime target for exploitation. The vulnerability affects systems running Linux kernels that implement the cls_u32 classifier, particularly those utilizing advanced traffic control features for network management. This flaw represents a significant security concern for network infrastructure components that rely on kernel-based packet classification for traffic shaping and quality of service implementations.

Mitigation strategies for CVE-2026-23204 focus on implementing the recommended code fix that replaces skb_header_pointer() with the more robust skb_header_pointer_careful() function. This change ensures that negative offset values are properly validated before memory access operations occur, preventing out-of-bounds memory access. System administrators should prioritize kernel updates that include this fix, as the vulnerability could be exploited to gain unauthorized access to system resources or disrupt network operations. The fix addresses the core issue by implementing proper bounds checking mechanisms that align with secure coding practices recommended by the CERT/CC Secure Coding Standards. Organizations should also monitor their network traffic control implementations to ensure that no malicious packet patterns could be crafted to exploit this vulnerability during the transition period before full patch deployment. Additionally, implementing network segmentation and access controls can provide defense-in-depth measures that reduce the potential impact of such vulnerabilities.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00117

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!