Skip to main content

Linux CVE-2026-23440

| EUVDEUVD-2026-18681 HIGH
Race Condition (CWE-362)
2026-04-03 Linux GHSA-255w-8g7g-qmg6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Apr 27, 2026 - 14:22 NVD
4.7 (MEDIUM) 7.5 (HIGH)
CVSS changed
Apr 23, 2026 - 21:11 NVD
4.7 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
96c9c25b74686ac2de15921c9ad30c5ef13af8cd,8d625c15471fb8780125eaef682983a96af77bdc,3dffc083292e6872787bd7e34b957627622f9af4
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18681
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix race condition during IPSec ESN update

In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1.

A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock.

So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished.

Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic.

Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.

AnalysisAI

Linux kernel net/mlx5e driver suffers a race condition during IPSec ESN (Extended Sequence Number) update handling that causes incorrect ESN high-order bit increments, leading to anti-replay failures and IPSec traffic halts. The vulnerability affects systems using Mellanox ConnectX adapters with IPSec full offload mode enabled. Attackers with local network access or the ability to trigger IPSec traffic patterns could exploit this to disrupt encrypted communications, though no public exploit code or active exploitation has been reported.

Technical ContextAI

The Mellanox mlx5e driver handles IPSec offload via hardware ASO (Atomic Signature Operation) contexts. When the device detects an ESN wrap event (after ~2^31 packets), it signals the driver by setting esn_event_arm to 0x0. The vulnerability exists in the event acknowledgment flow: after validating the event, the driver called mlx5_accel_esp_modify_xfrm() to sync kernel xfrm state, but this function temporarily released and re-acquired locks. During the lock window, the hardware could send duplicate events or the same event could be reprocessed, causing the esn_msb field to increment twice instead of once. This results in an invalid ESN state being programmed to hardware, breaking anti-replay protection. The fix reorders operations to acknowledge the event (set esn_event_arm to 0x1) immediately after validation, before any lock-releasing calls, eliminating the race window. Since the next legitimate ESN update requires ~2^31 additional packets, duplicate event suppression poses no risk of missed updates.

RemediationAI

Upstream fix available via Linux kernel stable commits; exact patched kernel versions should be identified by checking the stable branch timelines at https://git.kernel.org/stable/. Systems administrators should upgrade to a kernel version that includes one of the five fix commits listed above. As an interim workaround, disable IPSec full offload mode on Mellanox adapters (revert to software IPSec) by modifying driver parameters or disabling offload in the network configuration, though this will impact performance. Consult the Mellanox/NVIDIA driver documentation and your kernel distribution's security advisories for specific patched kernel versions available for your release.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy