CVE-2026-23270
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Linux kernel Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 7.0 | Affected | โ |
| โ | Affected | 5.15.203 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | rtla-5.14.0-611.54.1.el9_7.aarch64.rpm |
| 8 | Fixed | kernel-doc-4.18.0-553.126.1.el8_10.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.85-1 |
| sid | Fixed | 6.19.8-1 |
| forky | Fixed | 6.19.8-1 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 6.1.170-1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2026:13565
- https://access.redhat.com/errata/RHSA-2026:19568
- https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189
- https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6
- https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e
- https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828
- https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4
- https://git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0
- https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1
- https://www.suse.com/security/cve/CVE-2026-23270.html
- https://security-tracker.debian.org/tracker/CVE-2026-23270
- https://bugzilla.redhat.com/2439852
- https://bugzilla.redhat.com/2448745
- https://bugzilla.redhat.com/2454844
- https://bugzilla.redhat.com/2460538
- https://errata.almalinux.org/9/ALSA-2026-13565.html
- https://access.redhat.com/errata/RHSA-2026:21706
- https://bugzilla.redhat.com/2404105
- https://bugzilla.redhat.com/2422699
- https://bugzilla.redhat.com/2424879
- https://bugzilla.redhat.com/2429602
- https://bugzilla.redhat.com/2448594
- https://bugzilla.redhat.com/2454810
- https://bugzilla.redhat.com/2455334
- https://bugzilla.redhat.com/2461107
CWEs
CWE-416
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.