CVE-2026-23204

CVE-2026-23204 is a vulnerability in the Linux kernel's networking scheduler classifier component, specifically cls_u32 (u32_classify). The issue stems from skb_header_pointer() failing to fully validate negative offset values, which can lead to slab-out-of-bounds access, as demonstrated by a KASAN-reported bug in net/sched/cls_u32.c at line 221. This out-of-bounds read (CWE-125) was reported by GangMin Kim along with a reproducer that fools u32_classify(). The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), rated as High severity.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact confidentiality violations, such as reading sensitive kernel memory, and high-impact availability disruptions, potentially leading to denial of service via kernel crashes or instability.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including changes to replace skb_header_pointer() with the more robust skb_header_pointer_careful() in cls_u32. Relevant commits are available at https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5, https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943, https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8, https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7, and https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5. Security practitioners should update to a patched kernel version as soon as feasible.