anonhaven
Ad

CVE-2026-23240

CRITICAL CVSS 3.1: 9.8 EPSS 0.06%
Updated Apr 02, 2026
Linux
Parameter Value
CVSS 9.8 (CRITICAL)
Vendor Linux
Public PoC No

In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object.

The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

References 4

https://git.kernel.org/stable/c/17153f154f80be2b47ebf52840f2d8f724eb2f3b
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/854cd32bc74fe573353095e90958490e4e4d641b
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a5de36d6cee74a92c1a21b260bc507e64bc451de
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40253

Linux

6.8

CVE-2026-41035

Linux

7.4

CVE-2026-40245

Linux

7.5

CVE-2026-6328

Linux

8.3

CVE-2026-39418

Linux

5.0