{"id":"CVE-2026-23239","summary":"espintcp: Fix race condition in espintcp_close()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: Fix race condition in espintcp_close()\n\nThis issue was discovered during a code audit.\n\nAfter cancel_work_sync() is called from espintcp_close(),\nespintcp_tx_work() can still be scheduled from paths such as\nthe Delayed ACK handler or ksoftirqd.\nAs a result, the espintcp_tx_work() worker may dereference a\nfreed espintcp ctx or sk.\n\nThe following is a simple race scenario:\n\n           cpu0                             cpu1\n\n  espintcp_close()\n    cancel_work_sync(&ctx-\u003ework);\n                                     espintcp_write_space()\n                                       schedule_work(&ctx-\u003ework);\n\nTo prevent this race condition, cancel_work_sync() is\nreplaced with disable_work_sync().","modified":"2026-05-07T04:16:40.878601Z","published":"2026-03-10T17:28:26.190Z","related":["SUSE-SU-2026:21237-1","SUSE-SU-2026:21352-1","SUSE-SU-2026:21361-1","openSUSE-SU-2026:10387-1","openSUSE-SU-2026:20572-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23239.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/022ff7f347588de6e17879a1da6019647b21321b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/664e9df53226b4505a0894817ecad2c610ab11d8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e1512c1db9e8794d8d130addd2615ec27231d994"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7ad8b1d0e421c524604d5076b73232093490d5c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23239.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23239"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593"},{"fixed":"f7ad8b1d0e421c524604d5076b73232093490d5c"},{"fixed":"664e9df53226b4505a0894817ecad2c610ab11d8"},{"fixed":"022ff7f347588de6e17879a1da6019647b21321b"},{"fixed":"e1512c1db9e8794d8d130addd2615ec27231d994"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23239.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.6.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23239.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}