Linux Kernel TLS Module Race: Dereference Freed Object in tx_work
CVE-2026-23240 Published on March 10, 2026
tls: Fix race condition in tls_sw_cancel_work_tx()
In the Linux kernel, the following vulnerability has been resolved:
tls: Fix race condition in tls_sw_cancel_work_tx()
This issue was discovered during a code audit.
After cancel_delayed_work_sync() is called from tls_sk_proto_close(),
tx_work_handler() can still be scheduled from paths such as the
Delayed ACK handler or ksoftirqd.
As a result, the tx_work_handler() worker may dereference a freed
TLS object.
The following is a simple race scenario:
cpu0 cpu1
tls_sk_proto_close()
tls_sw_cancel_work_tx()
tls_write_space()
tls_sw_write_space()
if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask))
set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);
cancel_delayed_work_sync(&ctx->tx_work.work);
schedule_delayed_work(&tx_ctx->tx_work.work, 0);
To prevent this race condition, cancel_delayed_work_sync() is
replaced with disable_delayed_work_sync().
Products Associated with CVE-2026-23240
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 and below a5de36d6cee74a92c1a21b260bc507e64bc451de is affected.
- Version f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 and below 854cd32bc74fe573353095e90958490e4e4d641b is affected.
- Version f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 and below 17153f154f80be2b47ebf52840f2d8f724eb2f3b is affected.
- Version f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 and below 7bb09315f93dce6acc54bf59e5a95ba7365c2be4 is affected.
- Version 5.3 is affected.
- Before 5.3 is unaffected.
- Version 6.12.75, <= 6.12.* is unaffected.
- Version 6.18.16, <= 6.18.* is unaffected.
- Version 6.19.6, <= 6.19.* is unaffected.
- Version 7.0-rc2, <= * is unaffected.