CVE-2026-23193
Published: 14 February 2026
Summary
CVE-2026-23193 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free race condition in iscsit_dec_session_usage_count() by applying kernel patches that release the session_usage_lock before calling complete().
Provides kernel memory safeguards that protect against exploitation of the use-after-free vulnerability by preventing unauthorized access to deallocated iscsit_session structures.
Restricts loading and use of the iSCSI target module to least functionality required, preventing the conditions necessary to trigger the session usage count race condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-exploitable kernel UAF in iSCSI target enables arbitrary code execution/priv esc (T1068) and exploitation of remote services (T1210).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g.,…
more
in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation.
Deeper analysisAI
CVE-2026-23193 is a use-after-free vulnerability in the Linux kernel's SCSI target iSCSI implementation, specifically within the iscsit_dec_session_usage_count() function. The issue arises from a race condition where the function calls complete() while holding the sess->session_usage_lock, allowing a waiting thread (such as in the session release path) to wake up, free the iscsit_session structure, and deallocate it before the current thread executes spin_unlock_bh() on the now-freed memory. This flaw was detected by KASAN as a slab-use-after-free and is classified under CWE-416.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with an overall CVSS v3.1 score of 8.8. Exploitation requires the target system to have the iSCSI target module loaded and in use, allowing a low-privileged remote user to trigger the race condition, potentially leading to kernel memory corruption, denial of service, or arbitrary code execution.
Mitigation involves applying the upstream patches from the provided stable kernel commit references, which reorder operations in iscsit_dec_session_usage_count() to release the session_usage_lock before calling complete(), ensuring all dereferences of the session pointer complete before deallocation proceeds. These fixes mirror similar logic used in the connection usage count handling.
Details
- CWE(s)