HIGH Published 2026-02-14

sched cls_u32 Classifier OOB

CVE-2026-23204

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

This vulnerability allows remote attackers to cause out-of-bounds memory reads in the kernel by sending malicious network packets. This could lead to information disclosure (reading sensitive kernel memory) or denial of service through system crashes. The vulnerability affects systems using the u32 traffic classifier, which is commonly used in network traffic shaping and filtering configurations.

Affectednet/sched/cls_u32.c

Vulnerability analysis

Summary: The cls_u32 traffic classifier in the Linux kernel networking stack contains an out-of-bounds read vulnerability due to insufficient validation of negative offset values in skb_header_pointer().

Root Cause: The skb_header_pointer() function does not fully validate negative offset values, allowing attackers to craft malicious network packets with negative offsets that can cause the kernel to read memory outside the intended buffer boundaries. The vulnerability occurs in the u32_classify() function when processing packet classification rules.

Attack Mechanism: An attacker can send specially crafted network packets with manipulated offset values that bypass the existing validation in skb_header_pointer(). When these packets are processed by the u32 classifier, the negative offsets can cause out-of-bounds memory reads, potentially leading to information disclosure or system crashes.

Fix Mechanism: The patch replaces all calls to skb_header_pointer() with skb_header_pointer_careful() in the cls_u32 classifier. The 'careful' variant includes additional validation to properly handle negative offset values and prevent out-of-bounds access. It also removes a manual overflow check that is now redundant since the careful function handles this validation internally.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.209	`29681ed51e73`
6.1	6.1.167	`cfa745830e45`
6.12	6.12.70	`e41a23e61259`
6.18	6.18.10	`8a672f177ebe`
6.6	6.6.124	`13336a6239b9`
mainline	6.19	`cabd1a976375`