CVE-2026-23204 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5
https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943
https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8
https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5

History

Sat, 14 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221
Title		net/sched: cls_u32: use skb_header_pointer_careful()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943 https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8 https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T16:27:27.708Z

Updated: 2026-02-14T16:27:27.708Z

Reserved: 2026-01-13T15:37:45.986Z

Link: CVE-2026-23204

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-14T17:15:58.297

Modified: 2026-02-14T17:15:58.297

Link: CVE-2026-23204

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23204", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:27.708Z", "dateUpdated": "2026-02-14T16:27:27.708Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-14T16:27:27.708Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_u32.c"], "versions": [{"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943", "status": "affected", "versionType": "git"}, {"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d", "lessThan": "cabd1a976375780dabab888784e356f574bbaed8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_u32.c"], "versions": [{"version": "2.6.35", "status": "affected"}, {"version": "0", "lessThan": "2.6.35", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"}, {"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"}, {"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"}, {"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"}], "title": "net/sched: cls_u32: use skb_header_pointer_careful()", "x_generator": {"engine": "bippy-1.2.0"}}}}