Description
In the Linux kernel, the following vulnerability has been resolved:

tls: Fix race condition in tls_sw_cancel_work_tx()

This issue was discovered during a code audit.

After cancel_delayed_work_sync() is called from tls_sk_proto_close(),
tx_work_handler() can still be scheduled from paths such as the
Delayed ACK handler or ksoftirqd.
As a result, the tx_work_handler() worker may dereference a freed
TLS object.

The following is a simple race scenario:

cpu0 cpu1

tls_sk_proto_close()
tls_sw_cancel_work_tx()
tls_write_space()
tls_sw_write_space()
if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask))
set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);
cancel_delayed_work_sync(&ctx->tx_work.work);
schedule_delayed_work(&tx_ctx->tx_work.work, 0);

To prevent this race condition, cancel_delayed_work_sync() is
replaced with disable_delayed_work_sync().
Published: 2026-03-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Use-After-Free
Action: Patch Now
AI Analysis

Impact

The flaw is a race condition in the TLS stack of the Linux kernel that allows a worker to access a TLS context that has already been freed. The use‑after‑free can lead to an arbitrary instruction pointer takeover or a process crash. The underlying weakness is a use‑after‑free (CWE‑416) triggered by a race condition (CWE‑362).

Affected Systems

All Linux kernel releases prior to the commit that replaces cancel_delayed_work_sync with disable_delayed_work_sync are affected. The patch is distributed in the mainline kernel upstream and referenced by several git commits. Linux distributions that have not yet included these commits remain vulnerable.

Risk and Exploitability

The CVSS base score of 9.8 indicates a critical severity. The EPSS score is below 1%, which suggests a low probability of widespread exploitation, but the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker who can manipulate TLS traffic to a vulnerable service is likely able to trigger the race condition, and therefore the attack vector is a remote TLS connection. Exploitability is inferred to be feasible in environments where TLS clients can be controlled, allowing an attacker to trigger the use‑after‑free and potentially execute arbitrary code.

Generated by OpenCVE AI on April 15, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the commit replacing cancel_delayed_work_sync with disable_delayed_work_sync.
  • Reboot the system to ensure the new kernel is running.
  • If a kernel update is not immediately available, consider disabling TLS services or restricting remote TLS access until the patch is applied.
  • Monitor system logs for signs of crashes or abnormal TLS activity that may indicate an attempted exploitation.

Generated by OpenCVE AI on April 15, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
Title tls: Fix race condition in tls_sw_cancel_work_tx()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:56.438Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23240

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:18:13.533

Modified: 2026-04-02T15:16:25.907

Link: CVE-2026-23240

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-23240 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses

No weakness.