CVE-2026-23270
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel act_ct Traffic Classifier

Publication date: 2026-03-18

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/[email protected]/
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23270
EUVD
EUVD-2026-12913
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network scheduling subsystem. Specifically, it involves the act_ct action being improperly allowed to bind to certain queueing disciplines (qdiscs) other than clsact/ingress. The issue arises because classify can return TC_ACT_CONSUMED while the packet (skb) is still held by the defragmentation engine. If act_ct is used on the egress path, which it was not intended for, this can cause a Use-after-Free (UaF) error when the defragmentation engine later accesses the packet again.

The fix restricts act_ct to only bind to clsact/ingress qdiscs and shared blocks, preventing its use on other egress qdiscs and thus avoiding the UaF condition.


How can this vulnerability impact me? :

This vulnerability can lead to a Use-after-Free (UaF) condition in the Linux kernel's network stack. Such a condition may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the memory corruption.

If you are using act_ct on egress paths improperly, your system could be vulnerable to these issues, which could impact the reliability and security of your network operations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is addressed by restricting the act_ct module to bind only to clsact/ingress qdiscs and shared blocks.

To mitigate this vulnerability, ensure that act_ct is not attached to egress qdiscs other than clsact.

Updating the Linux kernel to a version that includes this fix is recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart