Skip to main content

Linux CVE-2026-23296

| EUVDEUVD-2026-15230 MEDIUM
2026-03-25 Linux GHSA-xvv5-hhxw-j52w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15230
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Fix refcount leak for tagset_refcnt

This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace:

[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured

PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef

AnalysisAI

A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.

Technical ContextAI

The vulnerability exists in the Linux kernel's SCSI (Small Computer System Interface) core subsystem, specifically in the block layer's tag set management. The tagset_refcnt reference counter is used to track active references to a SCSI tag set structure, which manages command queueing for SCSI devices. When tag sets are allocated and deallocated, the reference count must be properly incremented and decremented to ensure resources are freed. The leak occurs because a code path fails to decrement tagset_refcnt when appropriate, causing the reference count to never reach zero. This prevents the tag set from being freed and blocking operations (like scsi_remove_host) from completing. The affected products are identified via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across multiple kernel versions. While the description does not explicitly reference a CWE, this is classified as a reference counting error leading to resource exhaustion.

RemediationAI

Apply the official Linux kernel patch immediately by upgrading to a patched kernel version matching your stable branch (check https://git.kernel.org/stable for the appropriate commit hash corresponding to your kernel series). For systems that cannot immediately reboot, implement workarounds by avoiding unnecessary SCSI host removal operations and minimizing iSCSI session teardown cycles until patching is completed. Administrators managing iSCSI infrastructure should prioritize this update in their patch management schedules, particularly for storage-critical systems. After applying patches, reboot systems to activate the fixed kernel. Monitor kernel logs for any scsi_alloc_sdev allocation failure messages which may indicate the vulnerability is being triggered. For long-term stability, maintain kernel versions at the latest patch level within your supported release branch.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy