Skip to main content

Linux EUVDEUVD-2026-12913

| CVE-2026-23270 HIGH
Use After Free (CWE-416)
2026-03-18 Linux
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 18:15 euvd
EUVD-2026-12913
Analysis Generated
Mar 18, 2026 - 18:15 vuln.today
CVE Published
Mar 18, 2026 - 17:54 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks

As Paolo said earlier [1]:

"Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet."

act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact).

[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/

AnalysisAI

Use-after-free in Linux kernel traffic control (net/sched) occurs when act_ct action returns TC_ACT_CONSUMED while a packet is held by the defragmentation engine, allowing local authenticated attackers with low privileges to achieve code execution, denial of service, or information disclosure. Affects Linux kernel 6.8 through 6.12.x and 6.18.x series. Vendor patches available across multiple stable branches (commits 524ce8b4, 380ad8b7, 9deda0fc, 11cb63b0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation likelihood despite 7.8 CVSS rating. No active exploitation confirmed; not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the Linux kernel's network traffic control subsystem (net/sched), specifically in the connection tracking action module (act_ct). Traffic control actions in Linux allow packet classification and manipulation through queuing disciplines (qdiscs). The act_ct action integrates with the kernel's connection tracking framework (conntrack) and defragmentation engine. When act_ct returns TC_ACT_CONSUMED status code while the defragmentation engine still holds references to the packet's sk_buff structure, a use-after-free condition arises. The defragmentation engine may subsequently access freed memory when processing the same packet. The issue stems from commit 3f14b377d01d which introduced behavioral changes allowing this race condition. The fix restricts act_ct binding to only clsact/ingress qdiscs and shared blocks, which properly handle TC_ACT_CONSUMED return codes, preventing the UAF scenario. While act_ct was designed for ingress traffic processing, some deployments incorrectly attached it to egress paths where most qdiscs lack TC_ACT_CONSUMED handling logic.

RemediationAI

Upgrade to patched Linux kernel versions containing fix commits: for 6.12.x series upgrade to 6.12.78 or later (commit 524ce8b4ea8f64900b6c52b6a28df74f6bc0801e), for 6.6.x series apply commit 380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6, for 6.1.x series apply commit 9deda0fcda5c1f388c5e279541850b71a2ccfcf4, for 5.15.x LTS series apply commit 11cb63b0d1a0685e0831ae3c77223e002ef18189. Consult distribution-specific security advisories-Debian tracks fixes across 9 releases. If immediate patching is not feasible, implement these SPECIFIC mitigations: (1) Audit all traffic control configurations with 'tc filter show' and remove act_ct actions attached to egress qdiscs other than clsact-this eliminates the vulnerable code path while preserving legitimate ingress connection tracking; side effect is loss of egress connection tracking functionality if deployed. (2) Restrict CAP_NET_ADMIN capability to only essential system services using capability bounding sets in systemd units or AppArmor/SELinux policies-prevents unprivileged local users from configuring vulnerable tc rules; trade-off is reduced flexibility for network management tooling. (3) On multi-tenant systems, use kernel namespaces to isolate traffic control contexts between tenants-limits blast radius but adds management complexity. Verify fix deployment by checking kernel version with 'uname -r' against fixed commit ranges at https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

EUVD-2026-12913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy