CVE-2026-23393

High

Published: 25 March 2026

Published

25 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23393 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-23393 by requiring timely application of the kernel patch that replaces cancel_delayed_work_sync() with disable_delayed_work_sync() to eliminate the race condition and use-after-free.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by the bridge CFM race condition in CVE-2026-23393.

SI-16 Memory Protection partial match

prevent

Provides defense-in-depth against exploitation of the use-after-free in CVE-2026-23393 via kernel memory protections like KASLR and stack canaries that hinder arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local kernel use-after-free race condition directly enables privilege escalation via exploitation of the CFM peer MEP deletion path for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock…

(without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called. The following is a simple race scenario: cpu0 cpu1 mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep still in hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // on freed peer_mep To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync() in both peer MEP deletion paths, so that subsequent queue_delayed_work() calls from br_cfm_frame_rx() are silently rejected. The cc_peer_disable() helper retains cancel_delayed_work_sync() because it is also used for the CC enable/disable toggle path where the work must remain re-schedulable.

Deeper analysisAI

CVE-2026-23393 is a race condition vulnerability in the Linux kernel's bridge Connectivity Fault Management (CFM) component, specifically during peer MEP deletion. The issue arises when cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing the peer_mep structure, but br_cfm_frame_rx()—running in softirq context under rcu_read_lock without RTNL—can reschedule the work via ccm_rx_timer_start() between the cancel returning and kfree_rcu() execution. This leads to ccm_rx_work_expired() accessing the already-freed peer_mep, resulting in a use-after-free. The vulnerability is scored at CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-362 (race condition).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the race during peer MEP deletion, potentially allowing arbitrary code execution, data corruption, or denial of service through the use-after-free on the freed peer_mep structure in ccm_rx_work_expired().

The provided kernel patch references detail the mitigation: commits replace cancel_delayed_work_sync() with disable_delayed_work_sync() in both peer MEP deletion paths, ensuring subsequent queue_delayed_work() calls from br_cfm_frame_rx() are rejected. The cc_peer_disable() helper retains cancel_delayed_work_sync() as it supports CC enable/disable toggling where rescheduling is needed. Security practitioners should apply these stable kernel patches to vulnerable versions.

Details

CWE(s): CWE-362

Affected Products

linux

linux kernel

5.11, 7.0 · 5.11.1 — 6.12.78 · 6.13 — 6.18.20 · 6.19 — 6.19.10

CVEs Like This One

CVE-2026-23411Same product: Linux Linux Kernel

CVE-2026-23004Same product: Linux Linux Kernel

CVE-2026-43023Same product: Linux Linux Kernel

CVE-2026-23161Same product: Linux Linux Kernel

CVE-2026-31700Same product: Linux Linux Kernel

CVE-2026-31761Same product: Linux Linux Kernel

CVE-2026-23169Same product: Linux Linux Kernel

CVE-2026-23410Same product: Linux Linux Kernel

CVE-2026-31516Same product: Linux Linux Kernel

CVE-2026-23440Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67