CRITICAL🇵🇱 Wersja polska

CVE-2026-23240

CVSS 9.8v3.1pub. 2026-03-10upd. 2026-05-20

In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

🤖 AI Analysis
How it works

After calling cancel_delayed_work_sync() within tls_sk_proto_close(), there is a time window in which tx_work_handler() can be rescheduled by other code paths — for example, by Delayed ACK handling or ksoftirqd. In a race scenario: cpu1 thread checks the BIT_TX_SCHEDULED bit and schedules a new delayed task (schedule_delayed_work()) after cpu0 has already called cancel_delayed_work_sync() and considered the operation complete. As a result, tx_work_handler() may execute on an already freed TLS object, leading to use-after-free. The fix replaces cancel_delayed_work_sync() with a call to disable_delayed_work_sync(), which prevents the task from being rescheduled.

Impact

An attacker or malicious local user who can trigger appropriate code paths may compromise the confidentiality, integrity, and availability of the system — potentially leading to privilege escalation or kernel panic through exploitation of a use-after-free condition.

Mitigation & patch

Apply patches available in the Linux kernel stable repository according to the references: commits 17153f154f80, 7bb09315f93d, 854cd32bc74f, and a5de36d6cee7. It is recommended to update to a kernel version containing the fix as soon as possible.

Who is affected

Linux kernels containing the vulnerable TLS subsystem implementation (tls_sw_cancel_work_tx()); specific versions indicated in the vendor references (patches available in the stable kernel repository).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    5.37.05.3.1 – 6.12.75 (bez)6.13 – 6.18.16 (bez)6.19 – 6.19.6 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Race Condition
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...