CVE-2026-23270
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's act_ct TC action, exploitable when attached to egress qdiscs, is fixed by restricting binding to clsact/ingress only.
Vulnerability
Overview
CVE-2026-23270 is a use-after-free (UaF) vulnerability in the Linux kernel's net/sched act_ct module. The root cause is that the act_ct action was never designed for the egress path, but some users attached it to egress qdiscs. When a packet is classified as TC_ACT_CONSUMED, the skb is held by the defragmentation engine; if the same packet is later touched by the defrag engine, a UaF occurs [1].
Exploitation
An attacker can trigger this bug by crafting packets that cause the classify function to return TC_ACT_CONSUMED while the skb is still referenced by the defragmentation engine. The attack requires the ability to send packets through a TC filter that uses act_ct on an egress qdisc (other than clsact). No special privileges beyond network access are needed, making it exploitable from unprivileged containers or user namespaces.
Impact
Successful exploitation leads to a use-after-free condition, which can result in memory corruption, denial of service, or potentially arbitrary code execution in kernel context. The CVSS v3 score is 7.8 (High), reflecting the high impact on confidentiality, integrity, and availability.
Mitigation
The fix, merged into the Linux kernel stable branches, restricts act_ct to only bind to clsact/ingress qdiscs and shared blocks [2][3][4]. This prevents the vulnerable code path from being reached on egress. Users should apply the latest kernel updates from their distribution. No workaround is available other than avoiding egress attachment of act_ct.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189nvd
- git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6nvd
- git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801envd
- git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828nvd
- git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4nvd
- git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0nvd
- git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1nvd
News mentions
0No linked articles in our index yet.