Cyber Resilience

CVE-2026-23240

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23240 is a critical-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23240 is a race condition vulnerability in the Linux kernel's TLS implementation, specifically within the tls_sw_cancel_work_tx() function. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), the tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd, potentially leading the worker to dereference a freed TLS object. This use-after-free issue was identified during a code audit and carries a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

A remote, unauthenticated attacker with network access can exploit this vulnerability by triggering the race condition during TLS socket closure. For instance, while one CPU executes tls_sk_proto_close() and cancels the delayed work, another CPU may invoke tls_write_space() via tls_sw_write_space(), scheduling the tx_work despite the bitmask check, resulting in use-after-free access. Successful exploitation could enable kernel memory corruption, potentially leading to arbitrary code execution, data leakage, or denial of service through system crashes.

The provided kernel patch references detail the mitigation, which replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in tls_sw_cancel_work_tx() to properly prevent rescheduling of the tx_work after cancellation. These fixes are available in stable kernel commits at https://git.kernel.org/stable/c/17153f154f80be2b47ebf52840f2d8f724eb2f3b, https://git.kernel.org/stable/c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4, https://git.kernel.org/stable/c/854cd32bc74fe573353095e90958490e4e4d641b, and https://git.kernel.org/stable/c/a5de36d6cee74a92c1a21b260bc507e64bc451de. Security practitioners should apply these upstream patches to affected Linux kernels supporting TLS offload.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the…

more

Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel TLS UAF race condition directly enables remote unauthenticated exploitation for kernel-level privilege escalation and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23004Same product: Linux Linux Kernel
CVE-2026-23410Same product: Linux Linux Kernel
CVE-2026-31761Same product: Linux Linux Kernel
CVE-2026-23271Same product: Linux Linux Kernel
CVE-2026-23161Same product: Linux Linux Kernel
CVE-2026-43023Same product: Linux Linux Kernel
CVE-2026-23411Same product: Linux Linux Kernel
CVE-2026-31700Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2026-23169Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.3, 7.0 · 5.3.1 — 6.12.75 · 6.13 — 6.18.16 · 6.19 — 6.19.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of software flaws by applying vendor patches, directly addressing the race condition and use-after-free in the Linux kernel's TLS implementation.

detect

Requires vulnerability scanning to identify systems with vulnerable kernel versions affected by CVE-2026-23240, enabling proactive patching.

prevent

Provides memory protection mechanisms that mitigate exploitation of the use-after-free by restricting unauthorized kernel memory access.

References