CVE-2026-23296 Linux CVE debrief

Who should care

Linux system administrators running iSCSI initiators or other SCSI-based storage; kernel maintainers and distribution security teams packaging stable kernel updates.

Technical summary

The SCSI core in the Linux kernel fails to properly decrement tagset_refcnt during certain teardown paths. When scsi_remove_host() is invoked, the leaked reference causes the function to wait indefinitely in __wait_for_common(), blocking completion of host removal. The iscsid daemon is particularly affected, as observed in call traces showing schedule_timeout and scsi_remove_host. The flaw is local, requires privileges to initiate SCSI host removal, and results in high availability impact (system hang) with no confidentiality or integrity impact.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch from the Linux kernel stable tree to correct the tagset_refcnt reference-count imbalance.
• Reboot into the patched kernel to ensure the fix is active.
• Monitor system logs for scsi_remove_host or iscsid hang traces after SCSI host or iSCSI session teardown operations.
• If immediate patching is not feasible, avoid repeated SCSI host removal operations that could trigger the hang condition.

Evidence notes

The CVE description and NVD record identify the bug as a refcount leak for tagset_refcnt in the SCSI core. Affected version ranges are drawn from NVD CPE criteria: 5.10.223+ before 5.11, 5.15.164+ before 5.15.203, 5.19.12+ before 6.0, 6.0.1+ before 6.1.167, 6.2+ before 6.6.130, 6.7+ before 6.12.77, 6.13+ before 6.18.17, 6.19+ before 6.19.7, plus specific 6.0 pre-release and 7.0-rc versions. Kernel.org stable commits are listed as patches. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 5.5 (MEDIUM).

Official resources