HIGH
iscsi target Session Usage UAF
CVE-2026-23193
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the iSCSI target subsystem allows local attackers with appropriate privileges to potentially cause system crashes or execute arbitrary code. The vulnerability occurs during session cleanup when multiple threads race to access session structures, leading to memory corruption when one thread frees memory that another thread is still using.
Vulnerability analysis
Root Cause: In iscsit_dec_session_usage_count(), the function calls complete() while still holding the sess->session_usage_lock spinlock. The waiter signaled by complete() (typically in the session release path) can immediately wake up and free the iscsit_session structure. This creates a race condition where the current thread attempts to execute spin_unlock_bh() on a session structure that has already been deallocated.
Attack Surface: This vulnerability affects iSCSI target implementations in the kernel. It requires local access with sufficient privileges to interact with iSCSI target sessions. The race condition occurs during session cleanup operations, making it exploitable when multiple threads are concurrently managing iSCSI session lifecycle operations.
Fix Mechanism: The fix reorders the operations to release the session_usage_lock before calling complete(). This ensures all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation. The fix adds an early return after complete() to avoid the subsequent spin_unlock_bh() call.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.250 | 2b64015550a1 |
| 5.15 | 5.15.200 | fd8b09001733 |
| 6.1 | 6.1.163 | d8dbdc146e9e |
| 6.12 | 6.12.70 | 41b86a9ec037 |
| 6.18 | 6.18.10 | 4530f4e4d0e6 |
| 6.6 | 6.6.124 | 11ebafffce31 |
| mainline | 6.19 | 84dc6037390b |