{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23393", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-25T10:33:17.407Z", "dateUpdated": "2026-05-11T22:06:00.768Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:00.768Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: cfm: Fix race condition in peer_mep deletion\n\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep still in hlist\n if (peer_mep->ccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(&peer_mep->head);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // on freed peer_mep\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\n\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_cfm.c"], "versions": [{"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525", "lessThan": "e89dbd2736a45f0507949af4748cbbf3ff793146", "status": "affected", "versionType": "git"}, {"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525", "lessThan": "d8f35767bacb3c7769d470a41cf161e3f3c07e70", "status": "affected", "versionType": "git"}, {"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525", "lessThan": "1fd81151f65927fd9edb8ecd12ad45527dbbe5ab", "status": "affected", "versionType": "git"}, {"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525", "lessThan": "3715a00855316066cdda69d43648336367422127", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_cfm.c"], "versions": [{"version": "5.11", "status": "affected"}, {"version": "0", "lessThan": "5.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146"}, {"url": "https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70"}, {"url": "https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab"}, {"url": "https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127"}], "title": "bridge: cfm: Fix race condition in peer_mep deletion", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0618528B-8039-4E87-8695-397AE7D4B4E5", "versionEndExcluding": "6.12.78", "versionStartIncluding": "5.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.11:-:*:*:*:*:*:*", "matchCriteriaId": "7AD3510E-E8FA-47F3-9AD5-D8EA4A2719D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: cfm: Fix race condition in peer_mep deletion\n\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep still in hlist\n if (peer_mep->ccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(&peer_mep->head);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // on freed peer_mep\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\n\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nbridge: cfm: Correcci\u00f3n de condici\u00f3n de carrera en la eliminaci\u00f3n de peer_mep\n\nCuando se est\u00e1 eliminando un MEP par, se llama a cancel_delayed_work_sync() en ccm_rx_dwork antes de la liberaci\u00f3n. Sin embargo, br_cfm_frame_rx() se ejecuta en contexto de softirq bajo rcu_read_lock (sin RTNL) y puede reprogramar ccm_rx_dwork a trav\u00e9s de ccm_rx_timer_start() entre el retorno de cancel_delayed_work_sync() y la llamada a kfree_rcu().\n\nEl siguiente es un escenario de condici\u00f3n de carrera simple:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep todav\u00eda en hlist\n if (peer_mep->ccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(&peer_mep->head);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // en peer_mep liberado\n\nPara evitar esto, cancel_delayed_work_sync() se reemplaza por disable_delayed_work_sync() en ambas rutas de eliminaci\u00f3n de MEP par, de modo que las llamadas posteriores a queue_delayed_work() desde br_cfm_frame_rx() sean rechazadas silenciosamente.\n\nLa funci\u00f3n auxiliar cc_peer_disable() mantiene cancel_delayed_work_sync() porque tambi\u00e9n se utiliza para la ruta de alternancia de habilitaci\u00f3n/deshabilitaci\u00f3n de CC donde el trabajo debe permanecer reprogramable."}], "id": "CVE-2026-23393", "lastModified": "2026-04-24T18:39:39.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:40.040", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bridge: cfm: Fix race condition in peer_mep deletion", "id": "2451260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451260"}, "csaw": false, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's bridge Connectivity Fault Management (CFM) component. A race condition can occur during the deletion of a peer Maintenance Entity Group End Point (MEP). This allows the `br_cfm_frame_rx()` function to re-schedule a delayed work on a MEP object after it has been marked for deletion but before it is fully freed. This may lead to a use-after-free vulnerability, potentially causing a denial of service or arbitrary code execution."], "name": "CVE-2026-23393", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23393\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23393\nhttps://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-23393-c395@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dc32cbb3dbd7da38c700d6e0fc6354df24920525,e89dbd2736a45f0507949af4748cbbf3ff793146)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dc32cbb3dbd7da38c700d6e0fc6354df24920525,d8f35767bacb3c7769d470a41cf161e3f3c07e70)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dc32cbb3dbd7da38c700d6e0fc6354df24920525,1fd81151f65927fd9edb8ecd12ad45527dbbe5ab)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dc32cbb3dbd7da38c700d6e0fc6354df24920525,3715a00855316066cdda69d43648336367422127)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:57:25.452668+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that incorporates the commit replacing cancel_delayed_work_sync() with disable_delayed_work_sync() or to any later stable release that includes this fix.", "Reboot the system after upgrading so that the updated kernel image is loaded and all modules are reinitialized.", "If the CFM protocol is not required, disable it on bridges by removing the bridge\u2011cfm module or adjusting bridge configuration to turn off CFM support."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011after\u2011free leading to kernel crash"}, "threat_synthesis": {"affected_systems": "Linux kernel images that include the bridge driver with CFM support and contain the pre\u2011patch code path are affected. This includes kernels starting from 5.11 and all 7.x release candidate builds referenced in the CPE list, as long as they implement the CFM module. Operators should consider any kernel versions compiled before the commit that replaces cancel_delayed_work_sync() with disable_delayed_work_sync() as vulnerable.", "description_and_impact": "The Linux kernel bridge CFM module contains a race condition that allows a peer MEP object to be freed while a delayed work task can still be scheduled against it. If a br_cfm_frame_rx() invocation schedules the work between the cancellation of delayed work and the actual free, the work function will later run against deallocated memory, creating a use\u2011after\u2011free flaw that can corrupt kernel state or crash the system. This flaw is identified as CWE\u2011825 and CWE\u2011362.", "risk_and_exploitability": "The CVSS score of 7.8 signals high severity, and the EPSS score is below 1\u202f% with the vulnerability not listed in CISA KEV, indicating a low overall likelihood of public exploitation. Based on the description, an attacker could send crafted CFM frames while a peer MEP deletion is in progress, a scenario that may be achievable by a network or local attacker with control over bridge traffic. The exploit would trigger the use\u2011after\u2011free, potentially causing kernel instability or a crash."}}}}, "created": "2026-03-25T21:31:23.160904+00:00", "updated": "2026-04-28T17:00:13.463608+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}