Skip to main content

Linux EUVDEUVD-2026-18682

| CVE-2026-23441 MEDIUM
Race Condition (CWE-362)
2026-04-03 Linux
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:11 NVD
4.7 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
99aaee927800ea00b441b607737f9f67b1899755,99b36850d881e2d65912b2520a1c80d0fcc9429a,6834d196107d5267dcad31b44211da7698e8f618
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18682
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Prevent concurrent access to IPSec ASO context

The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped context for all ASO operations.

A race condition exists because the ASO spinlock is released before the hardware has finished processing WQE. If a second operation is initiated immediately after, it overwrites the shared context in the DMA area.

When the first operation's completion is processed later, it reads this corrupted context, leading to unexpected behavior and incorrect results.

This commit fixes the race by introducing a private context within each IPSec offload object. The shared ASO context is now copied to this private context while the ASO spinlock is held. Subsequent processing uses this saved, per-object context, ensuring its integrity is maintained.

AnalysisAI

Race condition in Linux kernel net/mlx5e IPSec offload driver allows concurrent access to a shared DMA-mapped ASO context, potentially causing information disclosure or incorrect IPSec processing results. The vulnerability affects systems using Mellanox MLX5 network adapters with IPSec offload functionality. An attacker with local access to initiate multiple IPSec operations in rapid succession can trigger the race condition, corrupting the shared context and causing subsequent operations to read invalid data, compromising confidentiality and integrity of IPSec-protected traffic.

Technical ContextAI

The vulnerability resides in the Mellanox MLX5 ethernet driver's IPSec offload implementation (net/mlx5e subsystem). IPSec offload uses Access ASO (Atomic ASO WQE) to query and update IPSec state objects in hardware. The driver maintains a single mlx5e_ipsec_aso structure per Physical Function (PF) containing a shared DMA-mapped context. The root cause is a synchronization defect where the spinlock protecting the shared ASO context is released before the hardware completes WQE processing. This allows a second operation to overwrite the shared context in DMA memory while the first operation's completion handler is still scheduled. When the completion processes, it reads corrupted context data, leading to incorrect IPSec state or information leakage. The fix introduces per-object private contexts that capture the ASO state while the spinlock is held, decoupling subsequent completion processing from shared resource contention.

RemediationAI

Apply kernel patches addressing the race condition. The upstream fix has been merged into stable kernel branches via commits available at https://git.kernel.org/stable/c/99aaee927800ea00b441b607737f9f67b1899755 and related commits in the stable tree. Downstream distributions (Red Hat, Canonical, SUSE) will release kernel updates in their security advisories; users should apply these updates as they become available for their distribution and kernel version. Immediate workaround: disable IPSec offload on MLX5 adapters by removing or disabling the mlx5_ipsec module if the system does not require hardware-accelerated IPSec, reverting to software-based IPSec handling. Monitor your distribution's security advisory channels for patched kernel versions specific to your release branch.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy