Bug 2448745 (CVE-2026-23270) - CVE-2026-23270 kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation
Summary: CVE-2026-23270 kernel: Linux kernel: Use-after-free in traffic control (act_c...
Keywords:
Status: NEW
Alias: CVE-2026-23270
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-18 19:02 UTC by OSIDB Bzimport
Modified: 2026-06-08 20:14 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:13565 0 None None None 2026-05-04 21:20:27 UTC
Red Hat Product Errata RHSA-2026:13566 0 None None None 2026-05-04 22:00:10 UTC
Red Hat Product Errata RHSA-2026:19568 0 None None None 2026-05-20 12:57:38 UTC
Red Hat Product Errata RHSA-2026:19569 0 None None None 2026-05-20 12:15:47 UTC
Red Hat Product Errata RHSA-2026:21209 0 None None None 2026-05-27 01:42:44 UTC
Red Hat Product Errata RHSA-2026:21706 0 None None None 2026-05-28 08:25:54 UTC
Red Hat Product Errata RHSA-2026:21745 0 None None None 2026-05-28 13:26:23 UTC
Red Hat Product Errata RHSA-2026:22900 0 None None None 2026-06-03 15:19:22 UTC
Red Hat Product Errata RHSA-2026:22940 0 None None None 2026-06-03 19:17:50 UTC
Red Hat Product Errata RHSA-2026:23224 0 None None None 2026-06-04 12:16:41 UTC
Red Hat Product Errata RHSA-2026:24343 0 None None None 2026-06-08 03:03:26 UTC

Description OSIDB Bzimport 2026-03-18 19:02:45 UTC
In the Linux kernel, the following vulnerability has been resolved:

net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks

As Paolo said earlier [1]:

"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."

act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).

[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/

Comment 6 errata-xmlrpc 2026-05-04 21:20:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:13565 https://access.redhat.com/errata/RHSA-2026:13565

Comment 7 errata-xmlrpc 2026-05-04 22:00:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:13566 https://access.redhat.com/errata/RHSA-2026:13566

Comment 8 errata-xmlrpc 2026-05-20 12:15:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569

Comment 9 errata-xmlrpc 2026-05-20 12:57:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568

Comment 10 errata-xmlrpc 2026-05-27 01:42:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:21209 https://access.redhat.com/errata/RHSA-2026:21209

Comment 11 errata-xmlrpc 2026-05-28 08:25:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:21706 https://access.redhat.com/errata/RHSA-2026:21706

Comment 12 errata-xmlrpc 2026-05-28 13:26:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:21745 https://access.redhat.com/errata/RHSA-2026:21745

Comment 14 errata-xmlrpc 2026-06-03 15:19:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:22900 https://access.redhat.com/errata/RHSA-2026:22900

Comment 15 errata-xmlrpc 2026-06-03 19:17:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:22940 https://access.redhat.com/errata/RHSA-2026:22940

Comment 16 errata-xmlrpc 2026-06-04 12:16:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:23224 https://access.redhat.com/errata/RHSA-2026:23224

Comment 17 errata-xmlrpc 2026-06-08 03:03:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:24343 https://access.redhat.com/errata/RHSA-2026:24343


Note You need to log in before you can comment on or make changes to this bug.