CVE-2026-23120 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

l2tp: avoid one data-race in l2tp_tunnel_del_work()

We should read sk->sk_socket only when dealing with kernel sockets.

syzbot reported the following data-race:

BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release

write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
sk_set_socket include/net/sock.h:2092 [inline]
sock_orphan include/net/sock.h:2118 [inline]
sk_common_release+0xae/0x230 net/core/sock.c:4003
udp_lib_close+0x15/0x20 include/net/udp.h:325
inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:662 [inline]
sock_close+0x6b/0x150 net/socket.c:1455
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

value changed: 0xffff88811b818000 -> 0x0000000000000000

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< 1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< 36c40a80109f1771d59558050b1a71e13c60c759
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< eae074dab764ea181bbed5e88626889319177498
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< 68e92085427c84e7679ddb53c0d68836d220b6e7
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< 3d6d414b214ce31659bded2f8df50c93a3769474
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< 32d417497b79efb403d75f4c185fe6fd9d64b94f
`d00fa9adc528c1b0e64d532556764852df8bd7b9`	affected	< 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf
`15df699fdc5af46a9fb15ae2d9326294852de5b5`	affected	—
`18bdaefc715b4530b4b2fe670506bb47713664cc`	affected	—

Linux

affected

Version	Status	Constraints
`4.16`	affected	—
`0`	unaffected	< 4.16
`5.10.249`	unaffected	≤ 5.10.*
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.68`	unaffected	≤ 6.12.*
`6.18.8`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4
https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f
https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759
https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474
https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7
https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf
https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498

History

Sat, 14 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2tp_tunnel_del_work() We should read sk->sk_socket only when dealing with kernel sockets. syzbot reported the following data-race: BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: sk_set_socket include/net/sock.h:2092 [inline] sock_orphan include/net/sock.h:2118 [inline] sk_common_release+0xae/0x230 net/core/sock.c:4003 udp_lib_close+0x15/0x20 include/net/udp.h:325 inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:662 [inline] sock_close+0x6b/0x150 net/socket.c:1455 __fput+0x29b/0x650 fs/file_table.c:468 ____fput+0x1c/0x30 fs/file_table.c:496 task_work_run+0x131/0x1a0 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 worker_thread+0x582/0x770 kernel/workqueue.c:3421 kthread+0x489/0x510 kernel/kthread.c:463 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 value changed: 0xffff88811b818000 -> 0x0000000000000000
Title		l2tp: avoid one data-race in l2tp_tunnel_del_work()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4 https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759 https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474 https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7 https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T15:09:51.223Z

Updated: 2026-02-14T15:09:51.223Z

Reserved: 2026-01-13T15:37:45.970Z

Link: CVE-2026-23120

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-14T15:16:07.157

Modified: 2026-02-14T15:16:07.157

Link: CVE-2026-23120

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object