Description
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix race condition during IPSec ESN update

In IPSec full offload mode, the device reports an ESN (Extended
Sequence Number) wrap event to the driver. The driver validates this
event by querying the IPSec ASO and checking that the esn_event_arm
field is 0x0, which indicates an event has occurred. After handling
the event, the driver must re-arm the context by setting esn_event_arm
back to 0x1.

A race condition exists in this handling path. After validating the
event, the driver calls mlx5_accel_esp_modify_xfrm() to update the
kernel's xfrm state. This function temporarily releases and
re-acquires the xfrm state lock.

So, need to acknowledge the event first by setting esn_event_arm to
0x1. This prevents the driver from reprocessing the same ESN update if
the hardware sends events for other reason. Since the next ESN update
only occurs after nearly 2^31 packets are received, there's no risk of
missing an update, as it will happen long after this handling has
finished.

Processing the event twice causes the ESN high-order bits (esn_msb) to
be incremented incorrectly. The driver then programs the hardware with
this invalid ESN state, which leads to anti-replay failures and a
complete halt of IPSec traffic.

Fix this by re-arming the ESN event immediately after it is validated,
before calling mlx5_accel_esp_modify_xfrm(). This ensures that any
spurious, duplicate events are correctly ignored, closing the race
window.
Published: 2026-04-03
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: ESN race condition causing anti‑replay failures and a halt of IPsec traffic
Action: Apply patch
AI Analysis

Impact

The vulnerability is a race condition in the Linux kernel’s mlx5e driver when updating the Extended Sequence Number (ESN) used for IPsec full offload. After the driver validates an ESN wrap event, it temporarily releases the xfrm state lock, and if a second event arrives before the driver re‑sets the arm bit, the ESN high‑order bits are incremented incorrectly. The resulting invalid ESN state causes anti‑replay checks to fail, leading to a complete halt of IPsec traffic, effectively denying service to connections that rely on hardware‑accelerated IPsec.

Affected Systems

This flaw affects the Linux kernel driver for Mellanox/ConnectX devices (mlx5e) when IPsec full offload is enabled. No specific kernel release dates are supplied in the description, so the vulnerability may be present in any kernel version that includes the vulnerable code. Administrators should review the kernel version running on systems that use mlx5e devices for IPsec offload and verify whether the fix commit has been integrated.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity, and the EPSS score of less than 1% suggests low exploitation likelihood. The issue is not listed in the CISA KEV catalog, indicating no widespread known exploitation. The race condition is triggered by hardware‑generated ESN events, implying that an attacker would need the ability to generate sufficient IPsec traffic on a device with full offload capabilities, likely requiring local or privileged access. Therefore the risk is moderate, and prompt patching is recommended to avoid denial of IPsec service.

Generated by OpenCVE AI on April 7, 2026 at 09:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 2051c709dce92da3550040aa7949cd5a9c89b14e, which fixes the race condition.
  • If an immediate kernel update is not feasible, restrict the use of IPsec full offload or disable the mlx5e driver until the patch is applied.
  • Monitor kernel changelogs and vendor security advisories for future updates.

Generated by OpenCVE AI on April 7, 2026 at 09:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock. So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished. Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic. Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.
Title net/mlx5e: Fix race condition during IPSec ESN update
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:07:30.223Z

Reserved: 2026-01-13T15:37:46.017Z

Link: CVE-2026-23440

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:26.020

Modified: 2026-04-23T20:59:12.653

Link: CVE-2026-23440

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23440 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:53:59Z

Weaknesses