Cyber Resilience

CVE-2026-23216

High

Published: 18 February 2026

Published
18 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23216 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23216 is a use-after-free vulnerability in the Linux kernel's SCSI target iSCSI subsystem, specifically within the iscsit_dec_conn_usage_count() function. The issue arises when complete() is invoked while holding the conn->conn_usage_lock spinlock. This allows a waiting thread, such as in iscsit_close_connection(), to wake up, free the iscsi_conn structure, and trigger a KASAN-detected slab-use-after-free when the original thread attempts to release the lock on the already-freed memory. The vulnerability is tracked under CWE-416 and carries a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes within the kernel context.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 275016a551ba1a068a3bd6171b18611726b67110, 3835e49e146a4e6e7787b29465f1a23379b6ec44, 48fe983e92de2c59d143fe38362ad17ba23ec7f3, 73b487d44bf4f92942629d578381f89c326ff77f, and 8518f072fc92921418cd9ed4268dd4f3e9a8fd75. These patches fix the race by releasing the spinlock before calling complete(). Security practitioners should update affected Linux kernels to incorporate these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake…

more

up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF enabling arbitrary code execution from low-privileged context directly maps to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 3.1 — 5.10.250 · 5.11 — 5.15.200 · 5.16 — 6.1.163

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the use-after-free flaw via application of the specific upstream Linux kernel patches.

prevent

Enforces memory protection mechanisms like ASLR and DEP that mitigate exploitation of the kernel use-after-free vulnerability even if unpatched.

detect

Facilitates discovery of CVE-2026-23216 in deployed kernels through vulnerability scanning, enabling remediation before exploitation.

References