CVE-2026-23240
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel TLS Causes Use-After-Free

Publication date: 2026-03-10

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23240
EUVD
EUVD-2026-10575
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel 5.3
linux linux_kernel From 5.3.1 (inc) to 6.12.75 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's TLS (Transport Layer Security) implementation, specifically in the function tls_sw_cancel_work_tx().

The issue occurs because after cancel_delayed_work_sync() is called from tls_sk_proto_close(), the tx_work_handler() can still be scheduled from other paths like the Delayed ACK handler or ksoftirqd. This means the tx_work_handler() worker might try to access (dereference) a TLS object that has already been freed.

A race scenario involves two CPUs where one CPU calls tls_sk_proto_close() and cancels the delayed work, while the other CPU schedules the delayed work again, leading to the unsafe access.

The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() to prevent this race condition.

Impact Analysis

This vulnerability can lead to a use-after-free condition where the kernel's TLS worker thread accesses memory that has already been freed.

Such a condition can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the race condition.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed by replacing cancel_delayed_work_sync() with disable_delayed_work_sync() in the Linux kernel's TLS code to prevent the race condition.

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart