{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23296", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:53.509Z", "dateUpdated": "2026-03-25T10:26:53.509Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:53.509Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_scan.c"], "versions": [{"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "9f5e4abed9248448aa1b45b12ab0bea4d329b56a", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "7c01b680beaf4d3143866b062b8e770e8b237fb8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "ec5c17c687b189dbc09dfdec11b669caa40bc395", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "944a333c8e4d42256556c1d2ebb6d773a33e0dcd", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "a03d96598d39fdf605d90731db3ef3b13fb8bdc8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "1ac22c8eae81366101597d48360718dff9b9d980", "status": "affected", "versionType": "git"}, {"version": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f", "status": "affected", "versionType": "git"}, {"version": "f818708eeeae793e12dc39f8984ed7732048a7d9", "status": "affected", "versionType": "git"}, {"version": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_scan.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.223"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.164"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"}, {"url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"}, {"url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"}, {"url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"}, {"url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"}, {"url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"}], "title": "scsi: core: Fix refcount leak for tagset_refcnt", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}], "id": "CVE-2026-23296", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:24.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: scsi: core: Fix refcount leak for tagset_refcnt", "id": "2451174", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451174"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's SCSI core. A reference count leak, a type of resource management issue, occurs when tearing down a SCSI host due to an error in the `tagset_refcnt` mechanism. This can cause the system to hang, leading to a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-23296", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23296\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23296\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23296-eb4a@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:23:38.339230+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a patched release that includes the scsi core refcount fix (e.g., the commit identified by 1ac22c8e).", "Restart or reboot the system to activate the updated kernel and confirm that iscsid and related services start normally.", "Continuously monitor system logs (e.g., dmesg, syslog) for recurring \"scsi_alloc_sdev\" allocation failures or host teardown errors."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel distributions that were built from a kernel containing the faulty reference count logic are affected. The CNA list identifies Linux:Linux as the vendor, but no specific kernel version range is provided in the data. Any system running a kernel with the unpatched scsi core module is at risk.", "description_and_impact": "The vulnerability is a reference count leak in the Linux kernel\u2019s SCSI core module that leads to a hang when a SCSI host is torn down. The leak can cause processes such as iscsid to become stuck during cleanup, resulting in service unavailability and possible system lockups. The flaw arises from improper reference count management (CWE-665).", "risk_and_exploitability": "The exploit requires the ability to trigger SCSI host teardown, which typically requires local or privileged access. The severity score is not listed, and EPSS is not available, so the exact likelihood is unknown. The issue is not in the KEV catalog, indicating no evidence of widespread public exploitation yet, but the impact remains a disruptive denial of service for services relying on SCSI devices."}}}}, "created": "2026-03-25T21:15:34.342014+00:00", "updated": "2026-03-25T21:15:34.342049+00:00", "vendors": [], "weaknesses": ["CWE-665"]}