Cyber Resilience

CVE-2026-23204

HighUpdated

Published: 14 February 2026

Published
14 February 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 4.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23204 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23204 is a vulnerability in the Linux kernel's networking scheduler classifier component, specifically cls_u32 (u32_classify). The issue stems from skb_header_pointer() failing to fully validate negative offset values, which can lead to slab-out-of-bounds access, as demonstrated by a KASAN-reported bug in net/sched/cls_u32.c at line 221. This out-of-bounds read (CWE-125) was reported by GangMin Kim along with a reproducer that fools u32_classify(). The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), rated as High severity.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact confidentiality violations, such as reading sensitive kernel memory, and high-impact availability disruptions, potentially leading to denial of service via kernel crashes or instability.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including changes to replace skb_header_pointer() with the more robust skb_header_pointer_careful() in cls_u32. Relevant commits are available at https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5, https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943, https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8, https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7, and https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5. Security practitioners should update to a patched kernel version as soon as feasible.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0…

more

net/sched/cls_u32.c:221

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB kernel read directly enables credential access via memory disclosure (T1212) and system DoS via kernel instability/crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel
CVE-2026-31779Same product: Linux Linux Kernel
CVE-2026-43051Same product: Linux Linux Kernel
CVE-2026-23269Same product: Linux Linux Kernel
CVE-2026-31568Same product: Linux Linux Kernel
CVE-2026-43042Same product: Linux Linux Kernel
CVE-2026-23363Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.35, 6.19 · 2.6.35.1 — 6.6.124 · 6.7 — 6.12.70 · 6.13 — 6.18.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the upstream kernel patches that replace skb_header_pointer() with skb_header_pointer_careful() to eliminate the negative-offset validation flaw in cls_u32.

prevent

Mandates validation of all input parameters (here, the offset passed to skb_header_pointer) before use, which would have blocked the slab-out-of-bounds read in u32_classify.

preventdetect

Requires hardware or software memory-protection mechanisms that can prevent or detect the KASAN-reported out-of-bounds slab access demonstrated by the CVE reproducer.

References