net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Debian DLA |
DLA-4561-1 | linux-6.1 security update |
Debian DSA |
DSA-6141-1 | linux security update |
Debian DSA |
DSA-6243-1 | linux security update |
Ubuntu USN |
USN-8278-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8289-1 | Linux kernel (NVIDIA) vulnerabilities |
Ubuntu USN |
USN-8296-1 | Linux kernel (FIPS) vulnerabilities |
Ubuntu USN |
USN-8296-2 | Linux kernel (NVIDIA Tegra) vulnerabilities |
Ubuntu USN |
USN-8278-2 | Linux kernel (Azure) vulnerabilities |
Ubuntu USN |
USN-8440-1 | Linux kernel (Azure) vulnerabilities |
Tue, 16 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 01 Jun 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Wed, 25 Mar 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Thu, 19 Mar 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-125 | |
| CPEs | cpe:2.3:o:linux:linux_kernel:2.6.35:-:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:2.6.35:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:2.6.35:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:2.6.35:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:2.6.35:rc5:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:2.6.35:rc6:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |
|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Mon, 16 Feb 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Sat, 14 Feb 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221 | |
| Title | net/sched: cls_u32: use skb_header_pointer_careful() | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-16T20:32:59.096Z
Reserved: 2026-01-13T15:37:45.986Z
Link: CVE-2026-23204
Updated: 2026-06-16T20:32:55.536Z
Status : Modified
Published: 2026-02-14T17:15:58.297
Modified: 2026-06-17T10:21:05.677
Link: CVE-2026-23204
OpenCVE Enrichment
Updated: 2026-04-16T00:45:15Z
Debian DLA
Debian DSA
Ubuntu USN