CVE-2026-23270

| EUVD-2026-12913 HIGH
2026-03-18 Linux
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 18:15 vuln.today
EUVD ID Assigned
Mar 18, 2026 - 18:15 euvd
EUVD-2026-12913
CVE Published
Mar 18, 2026 - 17:54 nvd
HIGH 7.8

Tags

Linux Information Disclosure Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/[email protected]/

Analysis

This vulnerability is a use-after-free (UaF) condition in the Linux kernel's traffic control (tc) subsystem, specifically in the act_ct (connection tracking) action module. The vulnerability affects all Linux kernel versions where act_ct can be attached to qdiscs other than clsact/ingress, allowing a packet held by the defragmentation engine to be freed while the defrag engine still references it, potentially leading to information disclosure or denial of service. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Vendor Status

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

Share

CVE-2026-23270 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy