Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Fix refcount leak for tagset_refcnt

This leak will cause a hang when tearing down the SCSI host. For example,
iscsid hangs with the following call trace:

[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured

PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
#0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
#1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
#2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
#3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
#4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
#5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
#6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
#7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
#8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
#9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (system hang during SCSI host teardown)
Action: Apply Patch
AI Analysis

Impact

A reference count leak in the Linux kernel’s SCSI core occurs when a SCSI host is torn down, leading to a hang in processes such as iscsid. The vulnerability is a form of resource exhaustion (CWE‑911) that can disrupt services that depend on SCSI device management, effectively causing a denial of service rather than exposing data or code execution.

Affected Systems

All Linux kernel implementations are affected; vendor or distribution information is not tied to a specific released version in the advisory. The issue resides at the kernel level, so any distribution that includes the vulnerable kernel code is impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of observed exploitation. The vulnerability is not listed in CISA’s KEV catalog and no public exploit has been reported. Exploitation would likely require an attacker to trigger SCSI host teardown—an action that typically requires local system interaction or a scenario such as disabling SCSI services—which is inferred from the provided trace rather than explicitly documented.

Generated by OpenCVE AI on March 26, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that incorporates the patch referenced in the advisory, such as the commit series linked in the provided URLs.
  • Verify the running kernel version includes the fix by checking the change log or the relevant commit identifiers.
  • If an immediate kernel update is not available, consider restarting iscsi services or limiting SCSI host configuration while awaiting the fix.

Generated by OpenCVE AI on March 26, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
Title scsi: core: Fix refcount leak for tagset_refcnt
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:44.862Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23296

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:24.980

Modified: 2026-04-18T09:16:17.420

Link: CVE-2026-23296

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23296 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:10Z

Weaknesses