HIGH
xfrm ESPinTCP Race
CVE-2026-23239
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work); To prevent this race condition, cancel_work_sync() is replaced with disable_work_sync().
02KernelScan AI Analysis
Risk summary
A race condition in ESP-in-TCP socket cleanup allows use-after-free access to freed socket contexts. Local attackers with network privileges can potentially achieve arbitrary code execution or cause system crashes on systems using IPsec ESP-in-TCP encapsulation.
Vulnerability analysis
The vulnerability stems from improper synchronization in espintcp_close() where cancel_work_sync() is called to stop the transmission worker, but the worker can still be rescheduled from interrupt contexts (Delayed ACK handler, ksoftirqd) after cancellation. This creates a window where espintcp_tx_work() may execute and dereference freed espintcp context or socket structures. The fix replaces cancel_work_sync() with disable_work_sync() to prevent any further scheduling of the worker, ensuring proper cleanup ordering and eliminating the race condition.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | f7ad8b1d0e42 |
| 6.18 | 6.18.16 | 664e9df53226 |
| 6.19 | 6.19.6 | 022ff7f34758 |
| mainline | 7.0 | e1512c1db9e8 |