CVE-2026-23240

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: Fix race condition in tls_sw_cancel_work_tx()<br /> <br /> This issue was discovered during a code audit.<br /> <br /> After cancel_delayed_work_sync() is called from tls_sk_proto_close(),<br /> tx_work_handler() can still be scheduled from paths such as the<br /> Delayed ACK handler or ksoftirqd.<br /> As a result, the tx_work_handler() worker may dereference a freed<br /> TLS object.<br /> <br /> The following is a simple race scenario:<br /> <br /> cpu0 cpu1<br /> <br /> tls_sk_proto_close()<br /> tls_sw_cancel_work_tx()<br /> tls_write_space()<br /> tls_sw_write_space()<br /> if (!test_and_set_bit(BIT_TX_SCHEDULED, &amp;tx_ctx-&gt;tx_bitmask))<br /> set_bit(BIT_TX_SCHEDULED, &amp;ctx-&gt;tx_bitmask);<br /> cancel_delayed_work_sync(&amp;ctx-&gt;tx_work.work);<br /> schedule_delayed_work(&amp;tx_ctx-&gt;tx_work.work, 0);<br /> <br /> To prevent this race condition, cancel_delayed_work_sync() is<br /> replaced with disable_delayed_work_sync().