Description
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix race condition during IPSec ESN update

In IPSec full offload mode, the device reports an ESN (Extended
Sequence Number) wrap event to the driver. The driver validates this
event by querying the IPSec ASO and checking that the esn_event_arm
field is 0x0, which indicates an event has occurred. After handling
the event, the driver must re-arm the context by setting esn_event_arm
back to 0x1.

A race condition exists in this handling path. After validating the
event, the driver calls mlx5_accel_esp_modify_xfrm() to update the
kernel's xfrm state. This function temporarily releases and
re-acquires the xfrm state lock.

So, need to acknowledge the event first by setting esn_event_arm to
0x1. This prevents the driver from reprocessing the same ESN update if
the hardware sends events for other reason. Since the next ESN update
only occurs after nearly 2^31 packets are received, there's no risk of
missing an update, as it will happen long after this handling has
finished.

Processing the event twice causes the ESN high-order bits (esn_msb) to
be incremented incorrectly. The driver then programs the hardware with
this invalid ESN state, which leads to anti-replay failures and a
complete halt of IPSec traffic.

Fix this by re-arming the ESN event immediately after it is validated,
before calling mlx5_accel_esp_modify_xfrm(). This ensures that any
spurious, duplicate events are correctly ignored, closing the race
window.
Published: 2026-04-03
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service via IPSec traffic disruption
Action: Patch immediately
AI Analysis

Impact

A race condition in the Linux kernel mlx5e driver allows an attacker to trigger duplicate IPSec Extended Sequence Number (ESN) wrap events. When the driver validates an ESN event, it temporarily releases and reacquires an internal lock while updating the kernel’s xfrm state. If a second event arrives before the lock is re‑acquired, the high‑order ESN bits are incremented incorrectly, leading the driver to program the hardware with a corrupted state. This corrupt state causes anti‑replay checks to fail and results in a complete halt of IPSec traffic on the affected interface. The flaw does not enable arbitrary code execution but does break secure communications by interrupting or preventing IPSec traffic.

Affected Systems

The vulnerability applies to Linux kernel releases that include the mlx5e networking driver when IPSec full offload mode is enabled. No specific kernel versions are listed in the CVE data, so all kernels that ship with this driver and support the feature are potentially affected. Operating systems that rely on this driver for offloaded IPSec should review their kernel version against the commit that applies the fix.

Risk and Exploitability

The risk level is moderate for systems that rely heavily on IPSec offload, as a successful exploitation would disrupt secure communications but would not compromise system integrity or confidentiality beyond the affected traffic. For environments with no IPSec offload, the risk is negligible. Awareness that the flaw is a race condition explains that multiple rapid event deliveries are needed to trigger the issue, which may reduce the likelihood of random exploitation in typical traffic patterns.

Generated by OpenCVE AI on April 3, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Linux kernel patch that implements the ESN event re‑arming fix. If a patch has not yet been released, manually apply the relevant commit that re‑arms the ESN event immediately after validation. Consider disabling IPSec full offload on affected devices until the kernel update is applied or the commit is merged. Verify that the issue is resolved by monitoring system logs for ESN wrap errors and ensuring that IPSec traffic flows normally.

Generated by OpenCVE AI on April 3, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock. So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished. Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic. Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.
Title net/mlx5e: Fix race condition during IPSec ESN update
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:15:24.596Z

Reserved: 2026-01-13T15:37:46.017Z

Link: CVE-2026-23440

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:26.020

Modified: 2026-04-03T16:16:26.020

Link: CVE-2026-23440

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23440 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:16:11Z

Weaknesses