{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23120", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.970Z", "datePublished": "2026-02-14T15:09:51.223Z", "dateUpdated": "2026-05-11T22:00:30.930Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:30.930Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: avoid one data-race in l2tp_tunnel_del_work()\n\nWe should read sk->sk_socket only when dealing with kernel sockets.\n\nsyzbot reported the following data-race:\n\nBUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release\n\nwrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalue changed: 0xffff88811b818000 -> 0x0000000000000000"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/l2tp/l2tp_core.c"], "versions": [{"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4", "status": "affected", "versionType": "git"}, {"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "36c40a80109f1771d59558050b1a71e13c60c759", "status": "affected", "versionType": "git"}, {"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "eae074dab764ea181bbed5e88626889319177498", "status": "affected", "versionType": "git"}, {"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "68e92085427c84e7679ddb53c0d68836d220b6e7", "status": "affected", "versionType": "git"}, {"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "3d6d414b214ce31659bded2f8df50c93a3769474", "status": "affected", "versionType": "git"}, {"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "32d417497b79efb403d75f4c185fe6fd9d64b94f", "status": "affected", "versionType": "git"}, {"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9", "lessThan": "7a29f6bf60f2590fe5e9c4decb451e19afad2bcf", "status": "affected", "versionType": "git"}, {"version": "15df699fdc5af46a9fb15ae2d9326294852de5b5", "status": "affected", "versionType": "git"}, {"version": "18bdaefc715b4530b4b2fe670506bb47713664cc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/l2tp/l2tp_core.c"], "versions": [{"version": "4.16", "status": "affected"}, {"version": "0", "lessThan": "4.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.57"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4"}, {"url": "https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759"}, {"url": "https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498"}, {"url": "https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7"}, {"url": "https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474"}, {"url": "https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f"}, {"url": "https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf"}], "title": "l2tp: avoid one data-race in l2tp_tunnel_del_work()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "38BA6B6B-1C08-4FA2-9202-D6F0F7E2F21C", "versionEndExcluding": "3.17", "versionStartIncluding": "3.16.57", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "252FC08B-7067-4768-8ACD-ABFE62451433", "versionEndExcluding": "4.16", "versionStartIncluding": "4.15.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1944CE8-6BD5-4834-8128-59789B6959EB", "versionEndExcluding": "5.10.249", "versionStartIncluding": "4.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.16:-:*:*:*:*:*:*", "matchCriteriaId": "F60469AF-0A23-41D3-BC6A-C0D9A45A2CBC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.16:rc5:*:*:*:*:*:*", "matchCriteriaId": "CA2A106F-944D-42C5-BB4B-E81B97A57CDA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.16:rc6:*:*:*:*:*:*", "matchCriteriaId": "B14098E0-F40A-4C8E-B285-E96E6E604582", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.16:rc7:*:*:*:*:*:*", "matchCriteriaId": "01CC5953-3A04-4AA8-B8F9-18BFE5EF7FCE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: avoid one data-race in l2tp_tunnel_del_work()\n\nWe should read sk->sk_socket only when dealing with kernel sockets.\n\nsyzbot reported the following data-race:\n\nBUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release\n\nwrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalue changed: 0xffff88811b818000 -> 0x0000000000000000"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nl2tp: evitar una carrera de datos en l2tp_tunnel_del_work()\n\nDeber\u00edamos leer sk->sk_socket solo cuando se trata de sockets del kernel.\n\nsyzbot inform\u00f3 la siguiente carrera de datos:\n\nBUG: KCSAN: carrera de datos en l2tp_tunnel_del_work / sk_common_release\n\nescritura en 0xffff88811c182b20 de 8 bytes por la tarea 5365 en la cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nlectura en 0xffff88811c182b20 de 8 bytes por la tarea 827 en la cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalor cambiado: 0xffff88811b818000 -> 0x0000000000000000"}], "id": "CVE-2026-23120", "lastModified": "2026-03-18T13:39:35.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T15:16:07.157", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: l2tp: avoid one data-race in l2tp_tunnel_del_work()", "id": "2439850", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439850"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23120", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23120\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23120\nhttps://lore.kernel.org/linux-cve-announce/2026021407-CVE-2026-23120-5f82@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,36c40a80109f1771d59558050b1a71e13c60c759)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,eae074dab764ea181bbed5e88626889319177498)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,68e92085427c84e7679ddb53c0d68836d220b6e7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,3d6d414b214ce31659bded2f8df50c93a3769474)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,32d417497b79efb403d75f4c185fe6fd9d64b94f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00fa9adc528c1b0e64d532556764852df8bd7b9,7a29f6bf60f2590fe5e9c4decb451e19afad2bcf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "15df699fdc5af46a9fb15ae2d9326294852de5b5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "18bdaefc715b4530b4b2fe670506bb47713664cc"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,4.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.249,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.199,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.162,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.122,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.68,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.8,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-17T19:43:42.993696+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the L2TP data\u2011race fix; the fix is available in recent mainline releases following the commit that addresses the issue.", "Verify the running kernel version and apply the update through your distribution's package manager or through manual building of a patched kernel.", "If an update cannot be applied immediately, mitigate by disabling or uninstalling L2TP services until a patched kernel is available.", "Maintain vigilance by monitoring vendor advisories for additional patches or mitigations."], "summary": {"action": "Patch kernel", "impact": "Denial of Service via kernel crash"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all Linux kernel versions from 4.16 onward, including the listed release builds through 6.19 RC6. All Linux distributions shipping these kernel releases are affected, regardless of vendor or distribution version.", "description_and_impact": "A concurrent data\u2011race has been discovered in the Linux kernel L2TP implementation when deleting a tunnel, causing a clash between a socket cleanup routine and a workqueue thread that still holds a reference to the socket. The race allows memory corruption that can lead to a kernel crash, denying service and potentially enabling further compromise if additional vulnerabilities are chained. The flaw is a classic race condition (CWE\u2011362).", "risk_and_exploitability": "The CVSS score of 5.5 and an EPSS score below 1\u202f% reflect a medium\u2011severity issue with a currently low exploitation probability. Nevertheless, the race can corrupt kernel memory and trigger a crash, presenting a local attack vector that would require an attacker to influence L2TP tunnel lifecycle or execute code in kernel space with elevated privileges. No publicly known exploits are listed in the KEV catalog, so exploitation depends on custom or internal tooling."}}}}, "created": "2026-02-16T12:01:45.315163+00:00", "updated": "2026-04-17T19:45:25.902593+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-362"]}