CVE-2026-23270 (GCVE-0-2026-23270)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-04-02 14:44
VLAI?
Title
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0b5b831122fc3789fff75be433ba3e4dd7b779d4 , < fb3c380a54e33d1fd272cc342faa906d787d7ef1 (git)
Affected: 73f7da5fd124f2cda9161e2e46114915e6e82e97 , < 5a110ddcc99bda77a28598b3555fe009eaab3828 (git)
Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 524ce8b4ea8f64900b6c52b6a28df74f6bc0801e (git)
Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6 (git)
Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 9deda0fcda5c1f388c5e279541850b71a2ccfcf4 (git)
Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 11cb63b0d1a0685e0831ae3c77223e002ef18189 (git)
Affected: 172ba7d46c202e679f3ccb10264c67416aaeb1c4 (git)
Affected: f5346df0591d10bc948761ca854b1fae6d2ef441 (git)
Create a notification for this product.
    Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.18 , ≤ 6.18.* (semver)
Unaffected: 6.19.8 , ≤ 6.19.* (semver)
Unaffected: 7.0-rc3 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/act_api.h",
            "net/sched/act_ct.c",
            "net/sched/cls_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb3c380a54e33d1fd272cc342faa906d787d7ef1",
              "status": "affected",
              "version": "0b5b831122fc3789fff75be433ba3e4dd7b779d4",
              "versionType": "git"
            },
            {
              "lessThan": "5a110ddcc99bda77a28598b3555fe009eaab3828",
              "status": "affected",
              "version": "73f7da5fd124f2cda9161e2e46114915e6e82e97",
              "versionType": "git"
            },
            {
              "lessThan": "524ce8b4ea8f64900b6c52b6a28df74f6bc0801e",
              "status": "affected",
              "version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
              "versionType": "git"
            },
            {
              "lessThan": "380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6",
              "status": "affected",
              "version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
              "versionType": "git"
            },
            {
              "lessThan": "9deda0fcda5c1f388c5e279541850b71a2ccfcf4",
              "status": "affected",
              "version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
              "versionType": "git"
            },
            {
              "lessThan": "11cb63b0d1a0685e0831ae3c77223e002ef18189",
              "status": "affected",
              "version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "172ba7d46c202e679f3ccb10264c67416aaeb1c4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f5346df0591d10bc948761ca854b1fae6d2ef441",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/act_api.h",
            "net/sched/act_ct.c",
            "net/sched/cls_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "6.1.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0-rc3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it\u0027s still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T14:44:05.484Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828"
        },
        {
          "url": "https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e"
        },
        {
          "url": "https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189"
        }
      ],
      "title": "net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23270",
    "datePublished": "2026-03-18T17:54:43.803Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-04-02T14:44:05.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23270\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-18T18:16:26.053\",\"lastModified\":\"2026-04-02T15:16:27.953\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\\n\\nAs Paolo said earlier [1]:\\n\\n\\\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\\nthe current skb being held by the defragmentation engine. As reported by\\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\\nlater on tries to tuch again such packet.\\\"\\n\\nact_ct was never meant to be used in the egress path, however some users\\nare attaching it to egress today [2]. Attempting to reach a middle\\nground, we noticed that, while most qdiscs are not handling\\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\\naddress the issue by only allowing act_ct to bind to clsact/ingress\\nqdiscs and shared blocks. That way it\u0027s still possible to attach act_ct to\\negress (albeit only with clsact).\\n\\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nnet/sched: Solo permitir que act_ct se vincule a qdiscs clsact/de entrada y bloques compartidos\\n\\nComo Paolo dijo anteriormente [1]:\\n\\n\u0027Desde el commit culpado a continuaci\u00f3n, classify puede devolver TC_ACT_CONSUMED mientras el skb actual est\u00e1 siendo retenido por el motor de desfragmentaci\u00f3n. Seg\u00fan lo informado por GangMin Kim, si dicho paquete es uno que puede causar un UaF cuando el motor de desfragmentaci\u00f3n m\u00e1s tarde intente tocar de nuevo dicho paquete.\u0027\\n\\nact_ct nunca estuvo destinado a ser usado en la ruta de salida, sin embargo, algunos usuarios lo est\u00e1n adjuntando a la salida hoy [2]. Intentando llegar a un punto intermedio, notamos que, mientras que la mayor\u00eda de los qdiscs no est\u00e1n manejando TC_ACT_CONSUMED, los qdiscs clsact/de entrada s\u00ed lo est\u00e1n. Con eso en mente, abordamos el problema permitiendo solo que act_ct se vincule a qdiscs clsact/de entrada y bloques compartidos. De esa manera, todav\u00eda es posible adjuntar act_ct a la salida (aunque solo con clsact).\\n\\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.