Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.

If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.

Fix this by releasing the spinlock before calling complete().
Published: 2026-02-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel use‑after‑free can cause a crash
Action: Patch Immediately
AI Analysis

Impact

A use‑after‑free error exists in the Linux kernel’s iSCSI target module. The bug arises when the connection usage counter is decreased and the completion callback is executed while still holding the conn_usage_lock. The callback may wake a waiter that frees the iSCSI connection structure before the lock is released, leading the kernel to attempt to unlock a deallocated object. This triggers a KASAN slab‑use‑after‑free notification and results in a kernel crash.

Affected Systems

Linux kernel builds that include the iSCSI target module from the 6.19 release candidates 6.19‑rc1 through rc6 are affected. The vulnerability is present in the generic kernel package and is relevant to any distribution that ships those versions without the patch.

Risk and Exploitability

The CVSS score of 7.8 classifies the flaw as high severity, while the EPSS score of less than 1 % indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no confirmed attacks. The iSCSI target interface can be reached over the network, so an attacker with the ability to send iSCSI commands may trigger the use‑after‑free and cause a kernel panic. No evidence suggests that the flaw can be leveraged for remote code execution; the primary risk is loss of service.

Generated by OpenCVE AI on April 18, 2026 at 11:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the iSCSI use‑after‑free patch, such as the fixed 6.19‑rc6 release or newer.
  • If an immediate upgrade cannot be performed, disable the iSCSI target service or block iSCSI traffic at the firewall until the kernel is updated.
  • After applying the update, reboot the system and review dmesg or kernel logs for any KASAN messages that may indicate remaining issues.

Generated by OpenCVE AI on April 18, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4498-1 linux security update
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Wed, 18 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().
Title scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-20T11:31:03.046Z

Reserved: 2026-01-13T15:37:45.987Z

Link: CVE-2026-23216

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T15:18:42.957

Modified: 2026-03-18T20:28:20.997

Link: CVE-2026-23216

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23216 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses