In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
< 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 - AFFECTED
< e41a23e61259f5526af875c3b86b3d42a9bae0e5 - AFFECTED
< 8a672f177ebe19c93d795fbe967846084fbc7943 - AFFECTED
< cabd1a976375780dabab888784e356f574bbaed8 - AFFECTED
2.6.35 - AFFECTED
< 2.6.35 - UNAFFECTED
<= 6.6.* - UNAFFECTED
<= 6.12.* - UNAFFECTED
<= 6.18.* - UNAFFECTED
<= * - UNAFFECTED
https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5
https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5
https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943
https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use...
https://github.com/advisories/GHSA-rf63-9f5h-hhg6In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221
https://nvd.nist.gov/vuln/detail/CVE-2026-23204
https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5
https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943
https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8
https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5
https://github.com/advisories/GHSA-rf63-9f5h-hhg6
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-23204",
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"dateUpdated": "2026-02-14T16:27:27.708Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"datePublished": "2026-02-14T16:27:27.708Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux",
"dateUpdated": "2026-02-14T16:27:27.708Z"
},
"title": "net/sched: cls_u32: use skb_header_pointer_careful()",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"
}
],
"affected": [
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "unaffected",
"versions": [
{
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"status": "affected",
"versionType": "git",
"lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"status": "affected",
"versionType": "git",
"lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"status": "affected",
"versionType": "git",
"lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"status": "affected",
"versionType": "git",
"lessThan": "cabd1a976375780dabab888784e356f574bbaed8"
}
]
},
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "affected",
"versions": [
{
"version": "2.6.35",
"status": "affected"
},
{
"version": "0",
"status": "unaffected",
"versionType": "semver",
"lessThan": "2.6.35"
},
{
"version": "6.6.124",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.6.*"
},
{
"version": "6.12.70",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.12.*"
},
{
"version": "6.18.10",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.18.*"
},
{
"version": "6.19",
"status": "unaffected",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"
}
]
}
}
}