Description
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Prevent concurrent access to IPSec ASO context

The query or updating IPSec offload object is through Access ASO WQE.
The driver uses a single mlx5e_ipsec_aso struct for each PF, which
contains a shared DMA-mapped context for all ASO operations.

A race condition exists because the ASO spinlock is released before
the hardware has finished processing WQE. If a second operation is
initiated immediately after, it overwrites the shared context in the
DMA area.

When the first operation's completion is processed later, it reads
this corrupted context, leading to unexpected behavior and incorrect
results.

This commit fixes the race by introducing a private context within
each IPSec offload object. The shared ASO context is now copied to
this private context while the ASO spinlock is held. Subsequent
processing uses this saved, per-object context, ensuring its integrity
is maintained.
Published: 2026-04-03
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Integrity and Availability Risk
Action: Apply Patch
AI Analysis

Impact

A race condition exists in the Linux kernel’s mlx5e driver that manages IPSec offload objects. The driver uses a single shared context for all ASO operations, and the lock protecting this context is released before the hardware finishes processing a work queue entry. If a second operation begins immediately afterward, it overwrites the shared DMA area. When the first operation eventually completes, its completion handler reads the corrupted context, causing incorrect cryptographic results or unpredictable driver behavior. This flaw can corrupt secure traffic and may lead to kernel instability or service interruption.

Affected Systems

All Linux kernels that compile with the mlx5e driver and enable IPSec offloading are vulnerable, up until the commit that introduces a private context per object. No specific kernel version numbers are identified, so the issue applies broadly to affected builds.

Risk and Exploitability

No CVSS or EPSS score is provided, and the vulnerability does not appear in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need at least local or privileged access to trigger multiple IPSec offload requests and cause the race. If achieved, the attacker could corrupt secured traffic or trigger a denial of service by destabilizing the kernel.

Generated by OpenCVE AI on April 3, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that includes the commit adding a private context copy within each IPSec offload object.
  • If an immediate kernel upgrade is not feasible, disable IPSec offloading on affected network interfaces to prevent the race.
  • Verify that your vendor or kernel maintainers have applied the patch before re-enabling offloading services.

Generated by OpenCVE AI on April 3, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-665

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped context for all ASO operations. A race condition exists because the ASO spinlock is released before the hardware has finished processing WQE. If a second operation is initiated immediately after, it overwrites the shared context in the DMA area. When the first operation's completion is processed later, it reads this corrupted context, leading to unexpected behavior and incorrect results. This commit fixes the race by introducing a private context within each IPSec offload object. The shared ASO context is now copied to this private context while the ASO spinlock is held. Subsequent processing uses this saved, per-object context, ensuring its integrity is maintained.
Title net/mlx5e: Prevent concurrent access to IPSec ASO context
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:15:25.380Z

Reserved: 2026-01-13T15:37:46.017Z

Link: CVE-2026-23441

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:26.340

Modified: 2026-04-03T16:16:26.340

Link: CVE-2026-23441

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23441 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:16:10Z

Weaknesses