CVE-2026-23239

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a race condition within the espintcp close() function. This issue was identified during a code audit and involves a scenario where, after cancel work sync() is called, espintcp tx work() can still be scheduled through mechanisms like the Delayed ACK handler or ksoftirqd. This can lead to the espintcp tx work() worker attempting to dereference memory that has already been freed, specifically an espintcp ctx or sk structure. The race condition occurs when cancel work sync() is used as a barrier for object lifetime management, causing a use-after-free condition across multiple networking subsystems. A proof-of-concept exploit was developed to demonstrate the vulnerability, interleaving Delayed ACK timers, NET RX softirqs, timerfd hardirqs, workqueue scheduling, and CFS scheduler manipulation to trigger the race condition within a narrow time window. The issue is addressed by replacing cancel work sync() with disable work sync().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.