Bug 2439931 (CVE-2026-23204) - CVE-2026-23204 kernel: net/sched: cls_u32: use skb_header_pointer_careful()
Summary: CVE-2026-23204 kernel: net/sched: cls_u32: use skb_header_pointer_careful()
Keywords:
Status: NEW
Alias: CVE-2026-23204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-14 17:03 UTC by OSIDB Bzimport
Modified: 2026-04-15 20:06 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:6036 0 None None None 2026-03-30 02:18:10 UTC
Red Hat Product Errata RHSA-2026:6037 0 None None None 2026-03-30 02:40:52 UTC
Red Hat Product Errata RHSA-2026:6153 0 None None None 2026-03-30 11:06:29 UTC
Red Hat Product Errata RHSA-2026:6632 0 None None None 2026-04-06 07:50:02 UTC
Red Hat Product Errata RHSA-2026:8342 0 None None None 2026-04-15 20:06:44 UTC

Description OSIDB Bzimport 2026-02-14 17:03:39 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_u32: use skb_header_pointer_careful()

skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Comment 1 TEJ RATHI 2026-02-16 06:36:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23204-be85@gregkh/T
Comment 3 errata-xmlrpc 2026-03-30 02:18:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6036 https://access.redhat.com/errata/RHSA-2026:6036
Comment 4 errata-xmlrpc 2026-03-30 02:40:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6037 https://access.redhat.com/errata/RHSA-2026:6037
Comment 5 errata-xmlrpc 2026-03-30 11:06:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:6153 https://access.redhat.com/errata/RHSA-2026:6153
Comment 6 errata-xmlrpc 2026-04-06 07:50:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:6632 https://access.redhat.com/errata/RHSA-2026:6632
Comment 7 errata-xmlrpc 2026-04-15 20:06:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:8342 https://access.redhat.com/errata/RHSA-2026:8342
Note You need to log in before you can comment on or make changes to this bug.