The vulnerability resides in the Linux kernel’s net/sched subsystem, specifically within the u32 classifier. The function skb_header_pointer() does not fully validate negative offset values, allowing the code to request packet header data from an out‑of‑bounds location. This flaw permits a kernel memory read outside its intended bounds, as demonstrated by the KASAN report when u32_classify() is invoked. The immediate consequence is potential information disclosure; leaking kernel memory contents could provide attackers with data useful for more advanced exploits, though it does not directly grant code execution. The weakness is classified as CWE‑125, Out‑of‑Bound Read.

All currently released Linux kernel versions that include the u32 classifier are impacted. The CPE entries list a broad range of releases from early 2.6.35 release candidates through 6.19 release candidates (rc1–rc8), and the vendor list indicates the generic Linux kernel in use. Any system operating a kernel that contains the indicated commit before the patch is vulnerable, regardless of distribution or patch level.

The CVSS score of 7.1 signals moderate‑high severity. EPSS is very low (<1%), meaning wild exploitation is unlikely at present, and the vulnerability is not in the CISA KEV catalog. The attack vector is not explicitly described in the CVE data, but it is inferred that an attacker would need the ability to inject crafted packets that trigger the u32 classifier. This typically requires local or privileged access to the network stack, suggesting the vulnerability is more likely to be exploited from a local compromise or by a malicious process that can influence traffic processed by the cls_u32 module. Once triggered, the out‑of‑bounds read could leak sensitive kernel memory data, potentially aiding further attacks such as privilege escalation or sophisticated denial‑of‑service scenarios. The patch replaces skb_header_pointer() with skb_header_pointer_careful(), adding proper bounds checking and thereby eliminating the vulnerability.