CVE-2026-23204
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A slab-out-of-bounds bug in the Linux kernel's cls_u32 packet classifier due to missing negative offset validation in skb_header_pointer() is fixed by switching to skb_header_pointer_careful().
Root
Cause
The vulnerability resides in the net/sched: cls_u32 packet classifier within the Linux kernel. The function skb_header_pointer() was used without properly validating negative @offset values, allowing an attacker to trigger an out-of-bounds read. The analysis by GangMin Kim identified a slab-out-of-bounds error in u32_classify() at net/sched/cls_u32.c:221 through a provided reproducer [1][description].
Exploitation
To exploit this issue, an attacker must be able to send crafted network packets to a system that uses the u32 classifier (commonly via tc filters). No authentication is required, as the bug is reachable during packet classification in the network stack. The negative offset bypasses the intended bounds checking, leading to a memory access beyond the allocated slab [description].
Impact
A successful out-of-bounds read can cause a kernel crash (denial of service) or potentially leak sensitive kernel memory. The KASAN report indicates a slab-out-of-bounds [description], which could be leveraged for information disclosure or further exploitation.
Mitigation
The fix replaces the call to skb_header_pointer() with skb_header_pointer_careful(), which properly validates the offset parameter. The patch has been applied to the stable kernel tree and is included in commit e41a23e61259f5526af875c3b86b3d42a9bae0e5 [1]. Users should update their kernels to incorporate this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.35.1,<6.6.124
- cpe:2.3:o:linux:linux_kernel:2.6.35:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.35:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.35:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.35:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.35:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.35:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5nvdPatch
- git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943nvdPatch
- git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8nvdPatch
- git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5nvdPatch
- git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7nvd
News mentions
0No linked articles in our index yet.