PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23239 Linux CVE debrief

CVE-2026-23239 was published on 2026-03-10 and describes a Linux kernel espintcp race condition found during code audit. After espintcp_close() calls cancel_work_sync(), espintcp_tx_work() can still be scheduled from delayed ACK handling or ksoftirqd, which can lead to dereferencing a freed espintcp context or socket. NVD rates the issue HIGH (CVSS 7.8) with local access, low privileges, and no user interaction required. The supplied NVD data marks affected kernels in several release lines, including 5.6 before 6.12.75, 6.13 before 6.18.16, 6.19 before 6.19.6, and 7.0-rc1.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-10
Original CVE updated
2026-05-20
Advisory published
2026-03-10
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, appliance vendors, and operators running kernels with espintcp support should care most. Environments that allow local users, containers, or other low-privilege code execution on affected systems should prioritize review and patching.

Technical summary

The bug is a teardown race in espintcp_close(): cancel_work_sync() stops currently running work, but does not prevent espintcp_tx_work() from being queued again by other paths such as delayed ACK handling or ksoftirqd. That leaves a window where the worker can run after the espintcp ctx or sk has been freed, creating a use-after-free condition. The fix replaces cancel_work_sync() with disable_work_sync() to close the rescheduling window during shutdown. NVD maps the weakness to CWE-362 (race condition).

Defensive priority

High. This is a kernel race condition with local attack vector and low privileges required, and the NVD impact rating is high. Systems on affected kernel branches should be prioritized for patching, especially where espintcp is enabled or shipped in supported vendor kernels.

Recommended defensive actions

  • Apply the relevant stable kernel updates referenced in the official patch links.
  • If you maintain downstream kernels, backport the espintcp_close() fix into all affected release lines you ship.
  • Plan a reboot into the patched kernel after deployment; kernel fixes do not take effect until the running kernel is replaced.
  • Verify whether your fleet includes affected versions in the 5.6-, 6.13-, 6.19-, or 7.0-rc1 lines listed by NVD.
  • Review systems that expose local user execution or container workloads, since the published vector is local with low privileges.
  • Monitor for kernel warnings, crashes, or unexplained memory-safety faults around espintcp workqueue activity while patching is rolled out.

Evidence notes

All claims above are grounded in the supplied CVE/NVD corpus and the official kernel.org patch references. The CVE description states the race scenario, the freed ctx/sk risk, and the replacement of cancel_work_sync() with disable_work_sync(). The NVD metadata provides the CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), CWE-362 mapping, and affected version ranges. The record was published on 2026-03-10 and last modified on 2026-05-20; no KEV entry was provided in the supplied data.

Official resources

Publicly disclosed in the CVE record on 2026-03-10. The supplied NVD record was last modified on 2026-05-20 after analysis. No KEV entry was included in the supplied enrichment data.