{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23296", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:53.509Z", "dateUpdated": "2026-05-11T22:04:08.372Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:08.372Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_scan.c"], "versions": [{"version": "f818708eeeae793e12dc39f8984ed7732048a7d9", "lessThan": "0e274674714427dc578bb99db5b86e312d2b57f8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "9f5e4abed9248448aa1b45b12ab0bea4d329b56a", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "7c01b680beaf4d3143866b062b8e770e8b237fb8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "ec5c17c687b189dbc09dfdec11b669caa40bc395", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "944a333c8e4d42256556c1d2ebb6d773a33e0dcd", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "a03d96598d39fdf605d90731db3ef3b13fb8bdc8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "1ac22c8eae81366101597d48360718dff9b9d980", "status": "affected", "versionType": "git"}, {"version": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f", "status": "affected", "versionType": "git"}, {"version": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_scan.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.164", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.223"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0e274674714427dc578bb99db5b86e312d2b57f8"}, {"url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"}, {"url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"}, {"url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"}, {"url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"}, {"url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"}, {"url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"}], "title": "scsi: core: Fix refcount leak for tagset_refcnt", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nscsi: core: Correcci\u00f3n de fuga de contador de referencias para tagset_refcnt\n\nEsta fuga causar\u00e1 un cuelgue al desmontar el host SCSI. Por ejemplo,\niscsid se cuelga con el siguiente rastreo de llamadas:\n\n[130120.652718] scsi_alloc_sdev: Fallo de asignaci\u00f3n durante el escaneo SCSI, algunos dispositivos SCSI podr\u00edan no estar configurados\n\nPID: 2528 TAREA: ffff9d0408974e00 CPU: 3 COMANDO: iscsid\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}], "id": "CVE-2026-23296", "lastModified": "2026-04-18T09:16:17.420", "metrics": {}, "published": "2026-03-25T11:16:24.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e274674714427dc578bb99db5b86e312d2b57f8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: scsi: core: Fix refcount leak for tagset_refcnt", "id": "2451174", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451174"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's SCSI core. A reference count leak, a type of resource management issue, occurs when tearing down a SCSI host due to an error in the `tagset_refcnt` mechanism. This can cause the system to hang, leading to a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-23296", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23296\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23296\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23296-eb4a@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,9f5e4abed9248448aa1b45b12ab0bea4d329b56a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,7c01b680beaf4d3143866b062b8e770e8b237fb8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,ec5c17c687b189dbc09dfdec11b669caa40bc395)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,944a333c8e4d42256556c1d2ebb6d773a33e0dcd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,a03d96598d39fdf605d90731db3ef3b13fb8bdc8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,1ac22c8eae81366101597d48360718dff9b9d980)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f818708eeeae793e12dc39f8984ed7732048a7d9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:06:30.319903+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that incorporates the patch referenced in the advisory, such as the commit series linked in the provided URLs.", "Verify the running kernel version includes the fix by checking the change log or the relevant commit identifiers.\n", "If an immediate kernel update is not available, consider restarting iscsi services or limiting SCSI host configuration while awaiting the fix."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (system hang during SCSI host teardown)"}, "threat_synthesis": {"affected_systems": "All Linux kernel implementations are affected; vendor or distribution information is not tied to a specific released version in the advisory. The issue resides at the kernel level, so any distribution that includes the vulnerable kernel code is impacted.", "description_and_impact": "A reference count leak in the Linux kernel\u2019s SCSI core occurs when a SCSI host is torn down, leading to a hang in processes such as iscsid. The vulnerability is a form of resource exhaustion (CWE\u2011911) that can disrupt services that depend on SCSI device management, effectively causing a denial of service rather than exposing data or code execution.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of observed exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog and no public exploit has been reported. Exploitation would likely require an attacker to trigger SCSI host teardown\u2014an action that typically requires local system interaction or a scenario such as disabling SCSI services\u2014which is inferred from the provided trace rather than explicitly documented."}}}}, "created": "2026-03-25T21:15:34.342014+00:00", "updated": "2026-03-27T09:50:10.273120+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}