CVE-2026-23440
Published: 03 April 2026
Summary
CVE-2026-23440 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the vulnerability by applying the kernel patch that re-arms the ESN event immediately after validation, eliminating the race condition window.
Denial-of-service protection implements safeguards to prevent or limit the impact of traffic halts caused by invalid ESN state programming from duplicate event processing.
System monitoring identifies indicators of the race condition exploitation, such as anti-replay failures and IPSec traffic cessation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in mlx5e IPSec offload driver directly enables remote network-triggered DoS via invalid ESN state and anti-replay failure (T1499.004 Application or System Exploitation).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this…
more
event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock. So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished. Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic. Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.
Deeper analysisAI
CVE-2026-23440 is a race condition vulnerability in the Linux kernel's mlx5e network driver, specifically during the handling of Extended Sequence Number (ESN) wrap events in IPSec full offload mode on Mellanox (NVIDIA) ConnectX network adapters. When the device reports an ESN wrap, the driver validates the event by checking the esn_event_arm field in the IPSec ASO context. It then calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state, which temporarily releases and re-acquires the xfrm state lock. This creates a window where duplicate or spurious events could be processed, leading to incorrect incrementation of the ESN high-order bits (esn_msb). The driver subsequently programs the hardware with invalid ESN state, triggering anti-replay failures and halting IPSec traffic.
A remote network attacker can exploit this vulnerability with low complexity and no privileges or user interaction required, as indicated by its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation requires triggering an ESN wrap event, which occurs after approximately 2^31 packets are processed in an IPSec security association. By influencing traffic volume and timing to hit the race window during driver handling, an attacker can cause the driver to process the event twice, resulting in a denial-of-service condition where IPSec traffic completely stops due to anti-replay checks failing.
The provided kernel stable commit references detail the fix: re-arm the ESN event by setting esn_event_arm to 0x1 immediately after validation and before calling mlx5_accel_esp_modify_xfrm(). This closes the race window by preventing reprocessing of duplicate events while ensuring no legitimate updates are missed, given the long interval to the next ESN wrap. Security practitioners should apply these patches to affected Linux kernels using mlx5e IPSec offload.
Details
- CWE(s)