Description
In the Linux kernel, the following vulnerability has been resolved:

espintcp: Fix race condition in espintcp_close()

This issue was discovered during a code audit.

After cancel_work_sync() is called from espintcp_close(),
espintcp_tx_work() can still be scheduled from paths such as
the Delayed ACK handler or ksoftirqd.
As a result, the espintcp_tx_work() worker may dereference a
freed espintcp ctx or sk.

The following is a simple race scenario:

cpu0 cpu1

espintcp_close()
cancel_work_sync(&ctx->work);
espintcp_write_space()
schedule_work(&ctx->work);

To prevent this race condition, cancel_work_sync() is
replaced with disable_work_sync().
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free Leading to Uncontrolled Kernel Behavior
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a race condition in the espintcp_close() routine of the Linux kernel. When cancel_work_sync() is invoked, the associated espintcp_tx_work() work handler can still be scheduled by other kernel paths such as the Delayed ACK handler or ksoftirqd, allowing the worker to execute after the espintcp context is freed. This use‑after‑free can lead to a kernel crash or an attacker‑controlled execution environment if the freed memory is overwritten. The weakness is a classic race‑condition leading to dangling pointer dereference. The CVE description and audit‑based discovery confirm that the bug permits a local user or privileged process to trigger the fault by manipulating the espintcp state.

Affected Systems

The issue appears in all Linux kernel releases that contain the espintcp implementation prior to the change referenced by commit 022ff7f. The affected code is part of the kernel’s kernel networking stack, specifically the espintcp subsystem. Vendor information is listed simply as Linux:Linux, indicating that any distribution shipping a version of the kernel before the patch is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 classifies the flaw as high severity, indicating serious potential impact on system integrity. The EPSS score of less than 1% shows current evidence of exploit probability is very low; nevertheless, the normalized likelihood is non‑zero, suggesting that once shipped, the risk can rise if more attackers become aware. The vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog, so no public exploits are known at present. A local privileged attacker who can execute code within the kernel can most likely trigger the race by initiating espintcp_close() while another thread schedules the work handler, potentially leading to a denial‑of‑service or privilege escalation scenario. The likely attack vector is local, but in environments where user processes have elevated privileges, the risk could extend to remote exploitation if the kernel service is exposed externally.

Generated by OpenCVE AI on April 15, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version containing the espintcp patch (use commit 022ff7f, which replaces cancel_work_sync() with disable_work_sync()). Ensure that the kernel distribution’s release notes confirm the application of this change.
  • If an immediate kernel upgrade is not feasible, isolate the affected network paths by blocking ESP‑I/O traffic or disabling the espintcp protocol where supported, to reduce the window in which the race can be triggered.
  • Monitor kernel logs for use‑after‑free or SIGKILL events involving network stack modules; if any anomalous activity is detected, treat the host as compromised and consider containment or further hardening measures.

Generated by OpenCVE AI on April 15, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work); To prevent this race condition, cancel_work_sync() is replaced with disable_work_sync().
Title espintcp: Fix race condition in espintcp_close()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:54.954Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23239

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:18:13.383

Modified: 2026-04-02T15:16:25.183

Link: CVE-2026-23239

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-23239 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses

No weakness.