CVE-2026-23440
Received Received - Intake
Race Condition in Linux mlx5e Driver Causes IPSec Traffic Halt

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock. So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished. Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic. Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23440
EUVD
EUVD-2026-18681
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.4
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 6.4.1 (inc) to 6.6.130 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's mlx5e network driver related to IPSec Extended Sequence Number (ESN) handling in full offload mode.

When the device reports an ESN wrap event, the driver validates it and must re-arm the event context by setting a specific field (esn_event_arm) back to 0x1 to prevent reprocessing the same event.

A race condition occurs because the driver updates the kernel's xfrm state while temporarily releasing and re-acquiring a lock, allowing the event to be processed twice.

Processing the event twice causes incorrect incrementing of the ESN high-order bits, leading to the hardware being programmed with an invalid ESN state.

This results in anti-replay failures and a complete halt of IPSec traffic.

The fix involves re-arming the ESN event immediately after validation and before updating the xfrm state, closing the race window and preventing duplicate event processing.


How can this vulnerability impact me? :

This vulnerability can cause a complete halt of IPSec traffic on affected systems.

Because the ESN state is incorrectly updated due to the race condition, anti-replay protections fail, which can disrupt secure communications relying on IPSec.

This disruption can lead to network outages or degraded security for systems using IPSec full offload mode with the affected driver.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This prevents the driver from reprocessing the same ESN update and closes the race condition.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix for the net/mlx5e driver handling IPSec ESN updates.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart