HIGH Published 2026-02-18

iscsi target Connection UAF

CVE-2026-23216

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in the iSCSI target subsystem can cause kernel crashes or potential code execution when iSCSI connections are being torn down. This affects systems running iSCSI target services and can be triggered by network clients during connection cleanup.

Affecteddrivers/target/iscsi/iscsi_target_util.c

Vulnerability analysis

Root Cause: In iscsit_dec_conn_usage_count(), the function calls complete() while holding conn->conn_usage_lock. The complete() call wakes up a waiter (like iscsit_close_connection()) which may immediately free the iscsit_conn structure. If the memory is freed before the current thread reaches spin_unlock_bh(), accessing the lock in the freed structure causes a use-after-free.

Attack Surface: This affects iSCSI target connections. The vulnerability is triggered during connection cleanup/teardown when usage count reaches zero. Attack requires ability to establish iSCSI connections and trigger connection cleanup, typically requiring network access to iSCSI target services.

Fix Mechanism: The patch fixes this by releasing the spinlock before calling complete(). This ensures that the lock is released while the connection structure is still valid, preventing the use-after-free when the waiter frees the memory.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.250	`ba6841914373`
5.15	5.15.200	`8518f072fc92`
6.1	6.1.163	`275016a551ba`
6.12	6.12.70	`48fe983e92de`
6.18	6.18.10	`3835e49e146a`
6.6	6.6.124	`73b487d44bf4`
mainline	6.19	`9411a89e9e71`