CVE-2026-23296
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Fix refcount leak for tagset_refcnt
This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace:
[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A refcount leak in the Linux kernel's SCSI core tagset_refcnt can cause a hang during SCSI host teardown, affecting iSCSI sessions.
Vulnerability
Analysis
CVE-2026-23296 describes a reference count leak in the Linux kernel's SCSI core, specifically within the tagset_refcnt field. The leak occurs during SCSI device allocation failure, where the reference count is not properly decremented, leading to an imbalance. This bug manifests when the SCSI host is being torn down, as the kernel waits indefinitely for the reference count to reach zero, causing a hang.
Exploitation and
Attack Surface
The vulnerability is triggered during normal SCSI scanning when device allocation fails. No special privileges or network access are required beyond the ability to trigger SCSI device scanning and subsequent host removal. The attack surface is local, as the issue is within the kernel's SCSI subsystem. An attacker with local access could potentially cause a denial-of-service condition by repeatedly triggering SCSI scanning and host teardown, leading to system hangs.
Impact
A successful exploitation results in a denial of service (DoS) where the system hangs during SCSI host removal. The provided call trace shows iscsid hanging in scsi_remove_host, indicating that iSCSI sessions are particularly affected. This can disrupt storage services and cause system unavailability.
Mitigation
The issue has been fixed in the Linux kernel stable tree. Patches have been applied to multiple stable kernel versions, as referenced in commits [1], [2], [3], and [4]. Users should update their kernels to the latest stable releases to resolve the refcount leak and prevent the hang.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/0e274674714427dc578bb99db5b86e312d2b57f8nvd
- git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980nvd
- git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8nvd
- git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcdnvd
- git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56anvd
- git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8nvd
- git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395nvd
News mentions
0No linked articles in our index yet.