Bug 2439931 (CVE-2026-23204)

Summary:	CVE-2026-23204 kernel: net/sched: cls_u32: use skb_header_pointer_careful()
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	Keywords:	Security
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-14 17:03:39 UTC

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_u32: use skb_header_pointer_careful()

skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221

Comment 1 TEJ RATHI 2026-02-16 06:36:43 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23204-be85@gregkh/T

Comment 3 errata-xmlrpc 2026-03-30 02:18:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6036 https://access.redhat.com/errata/RHSA-2026:6036

Comment 4 errata-xmlrpc 2026-03-30 02:40:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6037 https://access.redhat.com/errata/RHSA-2026:6037

Comment 5 errata-xmlrpc 2026-03-30 11:06:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:6153 https://access.redhat.com/errata/RHSA-2026:6153

Comment 6 errata-xmlrpc 2026-04-06 07:50:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:6632 https://access.redhat.com/errata/RHSA-2026:6632

Comment 7 errata-xmlrpc 2026-04-15 20:06:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:8342 https://access.redhat.com/errata/RHSA-2026:8342

Comment 8 errata-xmlrpc 2026-04-20 20:28:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:9112 https://access.redhat.com/errata/RHSA-2026:9112

Comment 9 errata-xmlrpc 2026-04-22 00:11:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:9512 https://access.redhat.com/errata/RHSA-2026:9512

Comment 10 errata-xmlrpc 2026-04-22 00:11:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:9513 https://access.redhat.com/errata/RHSA-2026:9513

Comment 11 errata-xmlrpc 2026-04-22 00:20:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:9515 https://access.redhat.com/errata/RHSA-2026:9515

Comment 12 errata-xmlrpc 2026-04-22 00:23:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:9514 https://access.redhat.com/errata/RHSA-2026:9514

Comment 13 errata-xmlrpc 2026-04-22 07:51:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:9643 https://access.redhat.com/errata/RHSA-2026:9643

Comment 14 errata-xmlrpc 2026-04-22 08:05:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:9644 https://access.redhat.com/errata/RHSA-2026:9644

Comment 15 errata-xmlrpc 2026-04-22 17:39:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:9835 https://access.redhat.com/errata/RHSA-2026:9835

Comment 16 errata-xmlrpc 2026-04-22 17:46:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:9836 https://access.redhat.com/errata/RHSA-2026:9836

Comment 17 errata-xmlrpc 2026-04-22 20:40:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:9870 https://access.redhat.com/errata/RHSA-2026:9870

Comment 18 errata-xmlrpc 2026-04-23 22:46:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:10108 https://access.redhat.com/errata/RHSA-2026:10108

Comment 20 errata-xmlrpc 2026-04-27 10:31:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:10756 https://access.redhat.com/errata/RHSA-2026:10756