CVE-2026-23240
Analyzed Analyzed - Analysis Complete

Race Condition in Linux Kernel TLS Causes Use-After-Free

Vulnerability report for CVE-2026-23240, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-10

Last updated on: 2026-05-20

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-10
Last Modified
2026-05-20
Generated
2026-07-06
AI Q&A
2026-03-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel 5.3
linux linux_kernel From 5.3.1 (inc) to 6.12.75 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's TLS (Transport Layer Security) implementation, specifically in the function tls_sw_cancel_work_tx().

The issue occurs because after cancel_delayed_work_sync() is called from tls_sk_proto_close(), the tx_work_handler() can still be scheduled from other paths like the Delayed ACK handler or ksoftirqd. This means the tx_work_handler() worker might try to access (dereference) a TLS object that has already been freed.

A race scenario involves two CPUs where one CPU calls tls_sk_proto_close() and cancels the delayed work, while the other CPU schedules the delayed work again, leading to the unsafe access.

The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() to prevent this race condition.

Impact Analysis

This vulnerability can lead to a use-after-free condition where the kernel's TLS worker thread accesses memory that has already been freed.

Such a condition can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the race condition.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed by replacing cancel_delayed_work_sync() with disable_delayed_work_sync() in the Linux kernel's TLS code to prevent the race condition.

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart