CVE-2026-23240
Published: Mar 10, 2026
Modified: May 11, 2026
CVSS v3.1
9.8
Description
In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 - < a5de36d6cee74a92c1a21b260bc507e64bc451deaffected f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 - < 854cd32bc74fe573353095e90958490e4e4d641baffected f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 - < 17153f154f80be2b47ebf52840f2d8f724eb2f3baffected f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 - < 7bb09315f93dce6acc54bf59e5a95ba7365c2be4 |
Linux | Linux | affected 5.3unaffected 0 - < 5.3unaffected 6.12.75 - <= 6.12.*unaffected 6.18.16 - <= 6.18.*unaffected 6.19.6 - <= 6.19.*+1 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now