CVE-2026-23270
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
113- osv-coords109 versionspkg:linux/kernelpkg:rpm/almalinux/bpftoolpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rvpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_11&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7
< 6.1.167+ 108 more
- (no CPE)range: < 6.1.167
- (no CPE)range: < 4.18.0-553.126.1.el8_10
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 6.12.0-211.16.1.el10_2
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 5.14.0-611.54.1.el9_7
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.27.1.160000.2.8
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1.21.18
- (no CPE)range: < 6.4.0-41.1.21.18
- (no CPE)range: < 6.12.0-160000.27.1.160000.2.8
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 1-150700.1.3.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-150700.7.37.2
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-150700.7.37.2
- (no CPE)range: < 6.4.0-150700.7.37.1
Patches
Vulnerability mechanics
References
7- git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189nvdPatch
- git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6nvdPatch
- git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801envdPatch
- git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828nvdPatch
- git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4nvdPatch
- git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0nvdPatch
- git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1nvdPatch
News mentions
0No linked articles in our index yet.