CVE-2026-23270
Undergoing Analysis Undergoing Analysis - In Progress
Use-After-Free Vulnerability in Linux Kernel act_ct Traffic Classifier

Publication date: 2026-03-18

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/[email protected]/
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23270
EUVD
EUVD-2026-12913
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.18 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.8 (exc)
linux linux_kernel From 6.7.2 (inc) to 6.8 (exc)
linux linux_kernel From 5.15.148 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.1.75 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.6.14 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.8 (inc) to 6.12.77 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduling subsystem. Specifically, it involves the act_ct action being improperly allowed to bind to certain queueing disciplines (qdiscs) other than clsact/ingress. The issue arises because classify can return TC_ACT_CONSUMED while the packet (skb) is still held by the defragmentation engine. If act_ct is used on the egress path, which it was not intended for, this can cause a Use-after-Free (UaF) error when the defragmentation engine later accesses the packet again.

The fix restricts act_ct to only bind to clsact/ingress qdiscs and shared blocks, preventing its use on other egress qdiscs and thus avoiding the UaF condition.

Impact Analysis

This vulnerability can lead to a Use-after-Free (UaF) condition in the Linux kernel's network stack. Such a condition may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the memory corruption.

If you are using act_ct on egress paths improperly, your system could be vulnerable to these issues, which could impact the reliability and security of your network operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is addressed by restricting the act_ct module to bind only to clsact/ingress qdiscs and shared blocks.

To mitigate this vulnerability, ensure that act_ct is not attached to egress qdiscs other than clsact.

Updating the Linux kernel to a version that includes this fix is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart