{ "threat_severity" : "Moderate", "public_date" : "2026-03-18T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation", "id" : "2448745", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448745" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\nAs Paolo said earlier [1]:\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it's still possible to attach act_ct to\negress (albeit only with clsact).\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/", "A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the traffic control `act_ct` path when it is incorrectly configured with non-ingress egress qdiscs (queueing disciplines). This can allow a local user with specific privileges to trigger a kernel crash, leading to a denial of service. In some cases, this vulnerability may also be exploited for privilege escalation." ], "statement" : "A use after free risk exists in the traffic control act_ct path when it is attached to non ingress egress qdiscs. In this configuration classify can return TC_ACT_CONSUMED while the skb is still held by the defragmentation engine. That can result in the skb being consumed and later accessed again by defragmentation which may lead to a kernel crash. Impact is denial of service in the common case, but keeping in mind that a kernel UAF could be exploitable for privilege escalation in some cases. The bug could happen only if some specific configuration being used (when tc/action being used and if the act_ct linked to incorrect qdisc/block), and in some cases regular user (if with some privileges) can make such configuration.\nThe bug is not triggerable until some specific configuration being used, so considered with limited impact level.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13566", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.55.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19569", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "kernel-0:6.12.0-211.16.1.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13565", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.54.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19568", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-687.10.1.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13565", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.54.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19568", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-687.10.1.el9_8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23270\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23270\nhttps://lore.kernel.org/linux-cve-announce/2026031847-CVE-2026-23270-cb9a@gregkh/T" ], "name" : "CVE-2026-23270", "csaw" : false }