CVE-2026-23393

In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called. The following is a simple race scenario: cpu0 cpu1 mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep still in hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // on freed peer_mep To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync() in both peer MEP deletion paths, so that subsequent queue_delayed_work() calls from br_cfm_frame_rx() are silently rejected. The cc_peer_disable() helper retains cancel_delayed_work_sync() because it is also used for the CC enable/disable toggle path where the work must remain re-schedulable.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab	Patch
https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127	Patch
https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70	Patch
https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.11:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

History

24 Apr 2026, 18:39

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:5.11:-::::::
First Time		Linux Linux linux Kernel
CWE		CWE-362
References	~~() https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab -~~	() https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab - Patch
References	~~() https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127 -~~	() https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127 - Patch
References	~~() https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70 -~~	() https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70 - Patch
References	~~() https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146 -~~	() https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146 - Patch

02 Apr 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bridge: cfm: Corrección de condición de carrera en la eliminación de peer_mep Cuando se está eliminando un MEP par, se llama a cancel_delayed_work_sync() en ccm_rx_dwork antes de la liberación. Sin embargo, br_cfm_frame_rx() se ejecuta en contexto de softirq bajo rcu_read_lock (sin RTNL) y puede reprogramar ccm_rx_dwork a través de ccm_rx_timer_start() entre el retorno de cancel_delayed_work_sync() y la llamada a kfree_rcu(). El siguiente es un escenario de condición de carrera simple: cpu0 cpu1 mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep todavía en hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // en peer_mep liberado Para evitar esto, cancel_delayed_work_sync() se reemplaza por disable_delayed_work_sync() en ambas rutas de eliminación de MEP par, de modo que las llamadas posteriores a queue_delayed_work() desde br_cfm_frame_rx() sean rechazadas silenciosamente. La función auxiliar cc_peer_disable() mantiene cancel_delayed_work_sync() porque también se utiliza para la ruta de alternancia de habilitación/deshabilitación de CC donde el trabajo debe permanecer reprogramable.

25 Mar 2026, 11:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-25 11:16

Updated : 2026-04-24 18:39

NVD link : CVE-2026-23393

Mitre link : CVE-2026-23393

CVE.ORG link : CVE-2026-23393

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

7.8 /10