CVE-2026-23240
Published: 10 March 2026
Summary
CVE-2026-23240 is a critical-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23240 is a race condition vulnerability in the Linux kernel's TLS implementation, specifically within the tls_sw_cancel_work_tx() function. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), the tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd, potentially leading the worker to dereference a freed TLS object. This use-after-free issue was identified during a code audit and carries a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
A remote, unauthenticated attacker with network access can exploit this vulnerability by triggering the race condition during TLS socket closure. For instance, while one CPU executes tls_sk_proto_close() and cancels the delayed work, another CPU may invoke tls_write_space() via tls_sw_write_space(), scheduling the tx_work despite the bitmask check, resulting in use-after-free access. Successful exploitation could enable kernel memory corruption, potentially leading to arbitrary code execution, data leakage, or denial of service through system crashes.
The provided kernel patch references detail the mitigation, which replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in tls_sw_cancel_work_tx() to properly prevent rescheduling of the tx_work after cancellation. These fixes are available in stable kernel commits at https://git.kernel.org/stable/c/17153f154f80be2b47ebf52840f2d8f724eb2f3b, https://git.kernel.org/stable/c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4, https://git.kernel.org/stable/c/854cd32bc74fe573353095e90958490e4e4d641b, and https://git.kernel.org/stable/c/a5de36d6cee74a92c1a21b260bc507e64bc451de. Security practitioners should apply these upstream patches to affected Linux kernels supporting TLS offload.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10575
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the…
more
Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel TLS UAF race condition directly enables remote unauthenticated exploitation for kernel-level privilege escalation and arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of software flaws by applying vendor patches, directly addressing the race condition and use-after-free in the Linux kernel's TLS implementation.
Requires vulnerability scanning to identify systems with vulnerable kernel versions affected by CVE-2026-23240, enabling proactive patching.
Provides memory protection mechanisms that mitigate exploitation of the use-after-free by restricting unauthorized kernel memory access.