CVE-2026-23204
Published: 14 February 2026
Summary
CVE-2026-23204 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23204 is a vulnerability in the Linux kernel's networking scheduler classifier component, specifically cls_u32 (u32_classify). The issue stems from skb_header_pointer() failing to fully validate negative offset values, which can lead to slab-out-of-bounds access, as demonstrated by a KASAN-reported bug in net/sched/cls_u32.c at line 221. This out-of-bounds read (CWE-125) was reported by GangMin Kim along with a reproducer that fools u32_classify(). The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), rated as High severity.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact confidentiality violations, such as reading sensitive kernel memory, and high-impact availability disruptions, potentially leading to denial of service via kernel crashes or instability.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including changes to replace skb_header_pointer() with the more robust skb_header_pointer_careful() in cls_u32. Relevant commits are available at https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5, https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943, https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8, https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7, and https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5. Security practitioners should update to a patched kernel version as soon as feasible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5841
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0…
more
net/sched/cls_u32.c:221
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB kernel read directly enables credential access via memory disclosure (T1212) and system DoS via kernel instability/crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the upstream kernel patches that replace skb_header_pointer() with skb_header_pointer_careful() to eliminate the negative-offset validation flaw in cls_u32.
Mandates validation of all input parameters (here, the offset passed to skb_header_pointer) before use, which would have blocked the slab-out-of-bounds read in u32_classify.
Requires hardware or software memory-protection mechanisms that can prevent or detect the KASAN-reported out-of-bounds slab access demonstrated by the CVE reproducer.