CVE-2026-23193

HIGH

Linux Kernel - Use-After-Free in iscsit_dec_session_usage_count()

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation.

References (7)

Core 7

Scores

CVSS v3 8.8
EPSS 0.0004
EPSS Percentile 11.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (25)
linux/Kernel < 5.10.250linux
linux/Kernel 3.1.0 - 5.10.250linux
linux/Kernel 5.11.0 - 5.15.200linux
linux/Kernel 5.16.0 - 6.1.163linux
linux/Kernel 6.13.0 - 6.18.10linux
linux/Kernel 6.2.0 - 6.6.124linux
linux/Kernel 6.7.0 - 6.12.70linux
Linux/Linux < 3.1
Linux/Linux 3.1
Linux/Linux 5.10.250 - 5.10.*
... and 15 more
Published Feb 14, 2026
Tracked Since Feb 18, 2026