CVE-2026-23216
Published: 18 February 2026
Summary
CVE-2026-23216 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23216 is a use-after-free vulnerability in the Linux kernel's SCSI target iSCSI subsystem, specifically within the iscsit_dec_conn_usage_count() function. The issue arises when complete() is invoked while holding the conn->conn_usage_lock spinlock. This allows a waiting thread, such as in iscsit_close_connection(), to wake up, free the iscsi_conn structure, and trigger a KASAN-detected slab-use-after-free when the original thread attempts to release the lock on the already-freed memory. The vulnerability is tracked under CWE-416 and carries a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes within the kernel context.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 275016a551ba1a068a3bd6171b18611726b67110, 3835e49e146a4e6e7787b29465f1a23379b6ec44, 48fe983e92de2c59d143fe38362ad17ba23ec7f3, 73b487d44bf4f92942629d578381f89c326ff77f, and 8518f072fc92921418cd9ed4268dd4f3e9a8fd75. These patches fix the race by releasing the spinlock before calling complete(). Security practitioners should update affected Linux kernels to incorporate these changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8019
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake…
more
up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF enabling arbitrary code execution from low-privileged context directly maps to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the use-after-free flaw via application of the specific upstream Linux kernel patches.
Enforces memory protection mechanisms like ASLR and DEP that mitigate exploitation of the kernel use-after-free vulnerability even if unpatched.
Facilitates discovery of CVE-2026-23216 in deployed kernels through vulnerability scanning, enabling remediation before exploitation.