9.8
CVE-2026-23240
- EPSS 0.49%
- Veröffentlicht 10.03.2026 17:28:27
- Zuletzt bearbeitet 20.05.2026 19:30:38
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
tls: Fix race condition in tls_sw_cancel_work_tx()
In the Linux kernel, the following vulnerability has been resolved:
tls: Fix race condition in tls_sw_cancel_work_tx()
This issue was discovered during a code audit.
After cancel_delayed_work_sync() is called from tls_sk_proto_close(),
tx_work_handler() can still be scheduled from paths such as the
Delayed ACK handler or ksoftirqd.
As a result, the tx_work_handler() worker may dereference a freed
TLS object.
The following is a simple race scenario:
cpu0 cpu1
tls_sk_proto_close()
tls_sw_cancel_work_tx()
tls_write_space()
tls_sw_write_space()
if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask))
set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);
cancel_delayed_work_sync(&ctx->tx_work.work);
schedule_delayed_work(&tx_ctx->tx_work.work, 0);
To prevent this race condition, cancel_delayed_work_sync() is
replaced with disable_delayed_work_sync().Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.3.1 < 6.12.75
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.16
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6
Linux ≫ Linux Kernel Version5.3 Update-
Linux ≫ Linux Kernel Version5.3 Updaterc4
Linux ≫ Linux Kernel Version5.3 Updaterc5
Linux ≫ Linux Kernel Version5.3 Updaterc6
Linux ≫ Linux Kernel Version5.3 Updaterc7
Linux ≫ Linux Kernel Version5.3 Updaterc8
Linux ≫ Linux Kernel Version7.0 Updaterc1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.382 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
https://git.kernel.org/stable/c/a5de36d6cee74a92c1a21b260bc507e64bc451de
https://git.kernel.org/stable/c/854cd32bc74fe573353095e90958490e4e4d641b
https://git.kernel.org/stable/c/17153f154f80be2b47ebf52840f2d8f724eb2f3b
https://git.kernel.org/stable/c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4