Cyber Resilience

CVE-2026-23239

HighUpdated

Published: 10 March 2026

Published
10 March 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23239 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23239 is a race condition vulnerability in the Linux kernel's espintcp component, specifically within the espintcp_close() function. After cancel_work_sync() is called to cancel the espintcp_tx_work, the worker can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. This leads to espintcp_tx_work() dereferencing a freed espintcp context (ctx) or socket (sk), resulting in a use-after-free condition. The vulnerability was discovered during a code audit and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. In a typical race scenario, one CPU executes espintcp_close() and calls cancel_work_sync(&ctx->work), while another CPU concurrently calls espintcp_write_space() and schedules the work (&ctx->work). Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution, data corruption, or system crashes via the use-after-free.

Mitigation is provided through kernel patches available in stable trees, which replace cancel_work_sync() with disable_work_sync() to prevent the race. Relevant commits include: https://git.kernel.org/stable/c/022ff7f347588de6e17879a1da6019647b21321b, https://git.kernel.org/stable/c/664e9df53226b4505a0894817ecad2c610ab11d8, https://git.kernel.org/stable/c/e1512c1db9e8794d8d130addd2615ec27231d994, and https://git.kernel.org/stable/c/f7ad8b1d0e421c524604d5076b73232093490d5c. Security practitioners should apply these updates to affected Linux kernels.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the…

more

Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work); To prevent this race condition, cancel_work_sync() is replaced with disable_work_sync().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition directly enables privilege escalation via arbitrary code execution in espintcp component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23004Same product: Linux Linux Kernel
CVE-2026-23161Same product: Linux Linux Kernel
CVE-2026-31700Same product: Linux Linux Kernel
CVE-2026-31761Same product: Linux Linux Kernel
CVE-2026-23240Same product: Linux Linux Kernel
CVE-2026-23271Same product: Linux Linux Kernel
CVE-2026-23393Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2026-23169Same product: Linux Linux Kernel
CVE-2026-23410Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.6 — 6.12.75 · 6.13 — 6.18.16 · 6.19 — 6.19.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the race condition and use-after-free in espintcp_close() by applying the specific kernel patches replacing cancel_work_sync() with disable_work_sync().

detect

Monitors and scans for vulnerable Linux kernel versions affected by CVE-2026-23239 to identify systems requiring patching.

prevent

Implements kernel memory protections like ASLR and stack canaries to mitigate exploitation of the use-after-free even if unpatched.

References