| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021800-CVE-2026-23216-6c63@gregkh> Date: Wed, 18 Feb 2026 15:22:07 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2026-23216: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete(). The Linux kernel CVE team has assigned CVE-2026-23216 to this issue. Affected and fixed versions =========================== Fixed in 5.10.250 with commit ba684191437380a07b27666eb4e72748be1ea201 Fixed in 5.15.200 with commit 8518f072fc92921418cd9ed4268dd4f3e9a8fd75 Fixed in 6.1.163 with commit 275016a551ba1a068a3bd6171b18611726b67110 Fixed in 6.6.124 with commit 73b487d44bf4f92942629d578381f89c326ff77f Fixed in 6.12.70 with commit 48fe983e92de2c59d143fe38362ad17ba23ec7f3 Fixed in 6.18.10 with commit 3835e49e146a4e6e7787b29465f1a23379b6ec44 Fixed in 6.19 with commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-23216 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/target/iscsi/iscsi_target_util.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ba684191437380a07b27666eb4e72748be1ea201 https://git.kernel.org/stable/c/8518f072fc92921418cd9ed4268dd4f3e9a8fd75 https://git.kernel.org/stable/c/275016a551ba1a068a3bd6171b18611726b67110 https://git.kernel.org/stable/c/73b487d44bf4f92942629d578381f89c326ff77f https://git.kernel.org/stable/c/48fe983e92de2c59d143fe38362ad17ba23ec7f3 https://git.kernel.org/stable/c/3835e49e146a4e6e7787b29465f1a23379b6ec44 https://git.kernel.org/stable/c/9411a89e9e7135cc459178fa77a3f1d6191ae903
Powered by blists - more mailing lists