CVE-2026-23239
Published: 10 March 2026
Summary
CVE-2026-23239 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23239 is a race condition vulnerability in the Linux kernel's espintcp component, specifically within the espintcp_close() function. After cancel_work_sync() is called to cancel the espintcp_tx_work, the worker can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. This leads to espintcp_tx_work() dereferencing a freed espintcp context (ctx) or socket (sk), resulting in a use-after-free condition. The vulnerability was discovered during a code audit and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. In a typical race scenario, one CPU executes espintcp_close() and calls cancel_work_sync(&ctx->work), while another CPU concurrently calls espintcp_write_space() and schedules the work (&ctx->work). Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution, data corruption, or system crashes via the use-after-free.
Mitigation is provided through kernel patches available in stable trees, which replace cancel_work_sync() with disable_work_sync() to prevent the race. Relevant commits include: https://git.kernel.org/stable/c/022ff7f347588de6e17879a1da6019647b21321b, https://git.kernel.org/stable/c/664e9df53226b4505a0894817ecad2c610ab11d8, https://git.kernel.org/stable/c/e1512c1db9e8794d8d130addd2615ec27231d994, and https://git.kernel.org/stable/c/f7ad8b1d0e421c524604d5076b73232093490d5c. Security practitioners should apply these updates to affected Linux kernels.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10573
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the…
more
Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work); To prevent this race condition, cancel_work_sync() is replaced with disable_work_sync().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition directly enables privilege escalation via arbitrary code execution in espintcp component.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the race condition and use-after-free in espintcp_close() by applying the specific kernel patches replacing cancel_work_sync() with disable_work_sync().
Monitors and scans for vulnerable Linux kernel versions affected by CVE-2026-23239 to identify systems requiring patching.
Implements kernel memory protections like ASLR and stack canaries to mitigate exploitation of the use-after-free even if unpatched.