CVE-2026-23193 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/05/2026
The vulnerability described in CVE-2026-23193 represents a critical use-after-free condition within the Linux kernel's iSCSI target implementation, specifically affecting the SCSI subsystem's handling of session management. This flaw exists in the iscsit_dec_session_usage_count() function where improper locking mechanisms create a race condition that can lead to kernel memory corruption and potential system instability. The issue manifests in the context of iSCSI target operations where multiple threads may simultaneously access and manipulate session structures, creating a scenario where memory deallocation occurs while other threads are still referencing the freed memory.
The technical root cause stems from the improper sequence of operations within the session usage count decrement function. When iscsit_dec_session_usage_count() executes, it holds the sess->session_usage_lock while calling the complete() function to signal waiting threads. This ordering creates a window where the waiter thread, upon being signaled, can immediately proceed to free the iscsit_session structure before the current thread completes its operations on the session pointer. The race condition occurs because the function fails to release the lock before signaling completion, allowing for a scenario where spin_unlock_bh() is called on memory that has already been deallocated. This specific vulnerability pattern aligns with CWE-416, which addresses use-after-free conditions in memory management operations.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation attacks or system crashes in environments utilizing iSCSI target functionality. Attackers could exploit this race condition to trigger kernel memory corruption, leading to system instability, data loss, or in severe cases, complete system compromise. The vulnerability affects systems running Linux kernels with iSCSI target support, particularly those implementing high-concurrency scenarios where multiple session operations occur simultaneously. The KASAN (Kernel Address Sanitizer) detection mechanism confirms the presence of this slab-use-after-free condition, indicating that the kernel's memory tracking capabilities have identified the improper memory access patterns that occur during concurrent session management operations.
The mitigation strategy for this vulnerability requires a fundamental change in the locking sequence within the iscsit_dec_session_usage_count() function. The fix involves releasing the session_usage_lock before calling complete() to ensure that all dereferences of the sess pointer are completed before any waiter thread is allowed to proceed with deallocation. This approach follows established best practices for concurrent programming in kernel space, where lock ordering and release timing are critical to preventing race conditions. The solution aligns with ATT&CK technique T1068 by potentially enabling privilege escalation through kernel memory corruption, and with CWE-691 by addressing improper lock release sequences that could lead to security-relevant race conditions. This fix represents a defensive programming approach that ensures proper synchronization between concurrent threads accessing shared kernel resources, thereby maintaining the integrity of the iSCSI target subsystem and preventing potential exploitation through memory corruption attacks.