Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23204

CVE-2026-23204: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23204 is a use-after-free vulnerability in the Linux kernel's net/sched cls_u32 component that causes slab-out-of-bounds errors. This article covers the technical details, affected versions, impact, and mitigation.

Published: February 20, 2026

CVE-2026-23204 Overview

A memory safety vulnerability has been identified in the Linux kernel's network scheduler subsystem, specifically within the cls_u32 traffic classifier. The vulnerability exists in the u32_classify() function where the use of skb_header_pointer() fails to properly validate negative offset values, leading to an out-of-bounds read condition in kernel slab memory.

The cls_u32 classifier is a fundamental component of the Linux Traffic Control (TC) system, used for packet classification based on arbitrary packet data. When processing specially crafted packets with manipulated header offsets, an attacker can trigger a KASAN-detected slab-out-of-bounds read at net/sched/cls_u32.c:221.

Critical Impact

This vulnerability allows an attacker to read kernel memory beyond allocated slab boundaries, potentially leading to information disclosure or system instability. The flaw was reported by security researcher GangMin Kim with a working proof-of-concept.

Affected Products

  • Linux kernel net/sched subsystem (cls_u32 classifier)
  • Systems utilizing TC u32 packet classification
  • Network infrastructure running affected kernel versions

Discovery Timeline

  • 2026-02-14 - CVE CVE-2026-23204 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23204

Vulnerability Analysis

The vulnerability stems from improper input validation within the u32_classify() function in net/sched/cls_u32.c. The function utilizes skb_header_pointer() to access packet header data at specified offsets. However, skb_header_pointer() does not fully validate negative offset values passed to it, creating a condition where memory outside the intended buffer boundaries can be accessed.

When a crafted packet with a negative offset value reaches the classifier, the u32_classify() function proceeds to read data from invalid memory locations. This triggers a KASAN (Kernel Address Sanitizer) detection of slab-out-of-bounds access, indicating that kernel heap memory is being read beyond its allocated boundaries.

The security impact includes potential kernel information disclosure through the out-of-bounds read, which could expose sensitive kernel data structures or pointer values. Additionally, depending on memory layout and usage patterns, this could potentially lead to system instability.

Root Cause

The root cause lies in the insufficient validation of the @offset parameter within skb_header_pointer(). This function was not designed to handle negative offset values safely, and the calling code in cls_u32.c did not perform adequate bounds checking before passing user-influenced offset data to the function.

The fix involves replacing skb_header_pointer() with skb_header_pointer_careful(), which provides additional validation for negative offset values and prevents the out-of-bounds access condition.

Attack Vector

An attacker with the ability to send crafted network packets to a system running the vulnerable kernel can exploit this vulnerability. The attack involves constructing packets that will be processed by the u32 classifier with specially crafted offset values that trick the classifier into reading memory outside the packet buffer boundaries.

The attack requires network access to a system where the cls_u32 classifier is actively configured in the traffic control subsystem. The vulnerability is triggered during packet classification processing, meaning any network traffic path that utilizes u32 classification rules could potentially be exploited.

Detection Methods for CVE-2026-23204

Indicators of Compromise

  • KASAN warnings in kernel logs indicating slab-out-of-bounds in u32_classify function
  • Kernel panic or crash events related to net/sched/cls_u32.c
  • Unusual memory access patterns in network packet processing paths
  • System instability during high network traffic utilizing TC u32 classification

Detection Strategies

  • Enable KASAN in kernel builds to detect out-of-bounds memory access during testing and staging
  • Monitor dmesg and kernel logs for BUG reports mentioning cls_u32 or u32_classify
  • Deploy SentinelOne Singularity for real-time kernel-level threat detection and behavioral monitoring
  • Implement network traffic analysis to identify anomalous packet structures targeting traffic control subsystems

Monitoring Recommendations

  • Configure kernel logging to capture all slab corruption and out-of-bounds warnings
  • Monitor TC subsystem usage and classifier rule configurations across infrastructure
  • Enable kernel memory debugging features in non-production environments to identify exploitation attempts
  • Utilize SentinelOne's Linux agent for continuous endpoint monitoring and automated threat response

How to Mitigate CVE-2026-23204

Immediate Actions Required

  • Update to patched kernel versions containing the skb_header_pointer_careful() fix
  • Review TC configurations and disable u32 classifiers where not required until patching is complete
  • Implement network segmentation to limit exposure of affected systems
  • Monitor systems for signs of exploitation using kernel log analysis

Patch Information

Multiple kernel patches have been released to address this vulnerability by replacing skb_header_pointer() with skb_header_pointer_careful() in the affected code path. The patches are available through the official kernel git repositories:

  • Kernel Git Commit 13336a6239
  • Kernel Git Commit 8a672f177e
  • Kernel Git Commit cabd1a9763
  • Kernel Git Commit e41a23e612

Organizations should apply these patches through their standard kernel update procedures or by obtaining updated packages from their Linux distribution vendor.

Workarounds

  • Disable cls_u32 classifier usage in TC configurations where not strictly required
  • Implement strict network access controls to limit untrusted packet sources reaching affected systems
  • Consider alternative classifier implementations (e.g., cls_flower, cls_bpf) until patching is completed
  • Enable KASAN monitoring in staging environments to detect any exploitation attempts
bash
# Check current TC classifier configuration
tc filter show dev eth0

# Remove u32 classifier rules temporarily (example)
tc filter del dev eth0 protocol ip parent 1: prio 1 u32

# Verify kernel version and available patches
uname -r
cat /proc/version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit 13336a6239
  • Kernel Git Commit 8a672f177e
  • Kernel Git Commit cabd1a9763
  • Kernel Git Commit e41a23e612
  • Related CVEs
  • CVE-2026-31475: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31469: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31457: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31444: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English