{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23240","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.989Z","datePublished":"2026-03-10T17:28:27.371Z","dateUpdated":"2026-05-11T22:03:02.082Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:03:02.082Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Fix race condition in tls_sw_cancel_work_tx()\n\nThis issue was discovered during a code audit.\n\nAfter cancel_delayed_work_sync() is called from tls_sk_proto_close(),\ntx_work_handler() can still be scheduled from paths such as the\nDelayed ACK handler or ksoftirqd.\nAs a result, the tx_work_handler() worker may dereference a freed\nTLS object.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ntls_sk_proto_close()\n tls_sw_cancel_work_tx()\n tls_write_space()\n tls_sw_write_space()\n if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask))\n set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);\n cancel_delayed_work_sync(&ctx->tx_work.work);\n schedule_delayed_work(&tx_ctx->tx_work.work, 0);\n\nTo prevent this race condition, cancel_delayed_work_sync() is\nreplaced with disable_delayed_work_sync()."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_sw.c"],"versions":[{"version":"f87e62d45e51b12d48d2cb46b5cde8f83b866bc4","lessThan":"a5de36d6cee74a92c1a21b260bc507e64bc451de","status":"affected","versionType":"git"},{"version":"f87e62d45e51b12d48d2cb46b5cde8f83b866bc4","lessThan":"854cd32bc74fe573353095e90958490e4e4d641b","status":"affected","versionType":"git"},{"version":"f87e62d45e51b12d48d2cb46b5cde8f83b866bc4","lessThan":"17153f154f80be2b47ebf52840f2d8f724eb2f3b","status":"affected","versionType":"git"},{"version":"f87e62d45e51b12d48d2cb46b5cde8f83b866bc4","lessThan":"7bb09315f93dce6acc54bf59e5a95ba7365c2be4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_sw.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a5de36d6cee74a92c1a21b260bc507e64bc451de"},{"url":"https://git.kernel.org/stable/c/854cd32bc74fe573353095e90958490e4e4d641b"},{"url":"https://git.kernel.org/stable/c/17153f154f80be2b47ebf52840f2d8f724eb2f3b"},{"url":"https://git.kernel.org/stable/c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4"}],"title":"tls: Fix race condition in tls_sw_cancel_work_tx()","x_generator":{"engine":"bippy-1.2.0"}}}}