SB2026032001 - Use After Free in Linux kernel net/sched

Description

This security bulletin contains information about 1 security vulnerability.

1) Use After Free (CVE-ID: CVE-2026-23270)

The vulnerability allows a local user to cause a use-after-free condition.

The vulnerability exists due to improper memory management in the act_ct action handling within the net/sched subsystem when processing packets in the egress path. A local user can attach the act_ct action to non-clsact/ingress qdiscs and trigger packet classification that returns TC_ACT_CONSUMED while the socket buffer (skb) is still held by the defragmentation engine, leading to a use-after-free condition.

The vulnerability specifically arises when act_ct is used in contexts not designed to handle TC_ACT_CONSUMED, particularly outside clsact/ingress qdiscs and shared blocks. Exploitation requires the ability to configure traffic control (tc) actions, implying local access and privileges to modify qdisc configurations.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189
• https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6
• https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e
• https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4