CVE-2026-23239

Vulnerability

Analysis

CVE-2026-23239 describes a race condition in the espintcp (ESP-over-TCP) driver within the Linux kernel. The root cause is that espintcp_close() uses cancel_work_sync() to stop the espintcp_tx_work() workqueue, but the work item can be rescheduled afterward from other code paths such as the Delayed ACK handler or from ksoftirqd via espintcp_write_space(). This results in a use-after-free where the worker may dereference a freed espintcp_ctx or associated socket [1][2][3].

Attack

Scenario

The vulnerability requires local ability to trigger espintcp_close() while other kernel threads (e.g., softirq handlers) are concurrently calling espintcp_write_space(). An attacker who can set up and tear down ESP-over-TCP connections (common in IPsec VPN or similar setups) could race the close path. No special privileges beyond the ability to trigger ESP/ESP INTCP socket operations are necessary; the bug occurs in kernel context without user-mode interaction.

Impact

A successful exploit leads to a use-after-free condition, which typically results in a kernel crash (denial of service). In some cases, an attacker might be able to leverage the use-after-free to escalate privileges or execute arbitrary code, though the description does not confirm such exploitation [1]. The CVSS v3 score of 7.8 (High) reflects the potential for high impact on confidentiality, integrity, and availability.

Mitigation

The fix replaces cancel_work_sync() with disable_work_sync(), which marks the work item as disabled before synchronously canceling it, preventing rescheduling. The upstream Linux kernel patches are available at multiple stable branches [1][2][3][4]. Administrators should apply the corresponding kernel update as soon as possible. No workaround is mentioned, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.