{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23441", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.017Z", "datePublished": "2026-04-03T15:15:25.380Z", "dateUpdated": "2026-05-11T22:06:58.123Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:58.123Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent concurrent access to IPSec ASO context\n\nThe query or updating IPSec offload object is through Access ASO WQE.\nThe driver uses a single mlx5e_ipsec_aso struct for each PF, which\ncontains a shared DMA-mapped context for all ASO operations.\n\nA race condition exists because the ASO spinlock is released before\nthe hardware has finished processing WQE. If a second operation is\ninitiated immediately after, it overwrites the shared context in the\nDMA area.\n\nWhen the first operation's completion is processed later, it reads\nthis corrupted context, leading to unexpected behavior and incorrect\nresults.\n\nThis commit fixes the race by introducing a private context within\neach IPSec offload object. The shared ASO context is now copied to\nthis private context while the ASO spinlock is held. Subsequent\nprocessing uses this saved, per-object context, ensuring its integrity\nis maintained."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h", "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c"], "versions": [{"version": "1ed78fc033074c55221a80498204c539a3696877", "lessThan": "99aaee927800ea00b441b607737f9f67b1899755", "status": "affected", "versionType": "git"}, {"version": "1ed78fc033074c55221a80498204c539a3696877", "lessThan": "c3db55dc0f3344b62da25b025a8396d78763b5fa", "status": "affected", "versionType": "git"}, {"version": "1ed78fc033074c55221a80498204c539a3696877", "lessThan": "2c6a5be0aee5a44066f68a332c30650900e32ad4", "status": "affected", "versionType": "git"}, {"version": "1ed78fc033074c55221a80498204c539a3696877", "lessThan": "6834d196107d5267dcad31b44211da7698e8f618", "status": "affected", "versionType": "git"}, {"version": "1ed78fc033074c55221a80498204c539a3696877", "lessThan": "99b36850d881e2d65912b2520a1c80d0fcc9429a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h", "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/99aaee927800ea00b441b607737f9f67b1899755"}, {"url": "https://git.kernel.org/stable/c/c3db55dc0f3344b62da25b025a8396d78763b5fa"}, {"url": "https://git.kernel.org/stable/c/2c6a5be0aee5a44066f68a332c30650900e32ad4"}, {"url": "https://git.kernel.org/stable/c/6834d196107d5267dcad31b44211da7698e8f618"}, {"url": "https://git.kernel.org/stable/c/99b36850d881e2d65912b2520a1c80d0fcc9429a"}], "title": "net/mlx5e: Prevent concurrent access to IPSec ASO context", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1904C76C-974E-4DEA-9E2B-C26F3C5420AD", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent concurrent access to IPSec ASO context\n\nThe query or updating IPSec offload object is through Access ASO WQE.\nThe driver uses a single mlx5e_ipsec_aso struct for each PF, which\ncontains a shared DMA-mapped context for all ASO operations.\n\nA race condition exists because the ASO spinlock is released before\nthe hardware has finished processing WQE. If a second operation is\ninitiated immediately after, it overwrites the shared context in the\nDMA area.\n\nWhen the first operation's completion is processed later, it reads\nthis corrupted context, leading to unexpected behavior and incorrect\nresults.\n\nThis commit fixes the race by introducing a private context within\neach IPSec offload object. The shared ASO context is now copied to\nthis private context while the ASO spinlock is held. Subsequent\nprocessing uses this saved, per-object context, ensuring its integrity\nis maintained."}], "id": "CVE-2026-23441", "lastModified": "2026-04-23T20:59:07.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T16:16:26.340", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2c6a5be0aee5a44066f68a332c30650900e32ad4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6834d196107d5267dcad31b44211da7698e8f618"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/99aaee927800ea00b441b607737f9f67b1899755"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/99b36850d881e2d65912b2520a1c80d0fcc9429a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c3db55dc0f3344b62da25b025a8396d78763b5fa"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/mlx5e: Prevent concurrent access to IPSec ASO context", "id": "2454840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454840"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-821", "details": ["A flaw was found in the Linux kernel's `net/mlx5e` driver. A race condition occurs when the ASO spinlock is released prematurely, allowing concurrent operations to overwrite a shared Direct Memory Access (DMA) context. This can lead to the processing of corrupted data, resulting in unexpected behavior and incorrect results within the IPSec offload functionality."], "name": "CVE-2026-23441", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23441\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23441\nhttps://lore.kernel.org/linux-cve-announce/2026040313-CVE-2026-23441-b47e@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1ed78fc033074c55221a80498204c539a3696877,99aaee927800ea00b441b607737f9f67b1899755)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1ed78fc033074c55221a80498204c539a3696877,c3db55dc0f3344b62da25b025a8396d78763b5fa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1ed78fc033074c55221a80498204c539a3696877,2c6a5be0aee5a44066f68a332c30650900e32ad4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1ed78fc033074c55221a80498204c539a3696877,6834d196107d5267dcad31b44211da7698e8f618)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1ed78fc033074c55221a80498204c539a3696877,99b36850d881e2d65912b2520a1c80d0fcc9429a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:47:49.924775+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that contains the fix for the mlx5e IPSec offload race condition.", "If an immediate kernel upgrade is not feasible, disable IPSec offload functionality in the mlx5e driver to prevent concurrent context access.", "Monitor system logs for anomalous mlx5e driver behavior and verify that no IPSec offload processing occurs until the patch is applied."], "summary": {"action": "Apply patch", "impact": "Kernel data integrity and stability may be compromised via a race condition in the mlx5e IPSec offload driver."}, "threat_synthesis": {"affected_systems": "The vulnerability affects Linux kernels that include the mlx5e driver with IPSec offload support. Any distribution or custom kernel that loads this driver prior to the applied fix is susceptible. Affected kernel versions are all Linux kernels, including Linux kernel 6.2 and Linux kernel 7.0 release candidates 1 through 7.", "description_and_impact": "A race condition exists in the Linux kernel\u2019s mlx5e network driver, which manages IPSec offload (ASO) operations. The driver uses a single shared context for all ASO processes per physical function. Because the ASO spinlock is released before the hardware finishes processing the associated Work Queue Element, an immediate subsequent operation can overwrite the DMA\u2011mapped context. When the first operation finally completes, it reads this corrupted context, leading to incorrect results and unpredictable kernel behavior. The underlying weakness is a race condition between resource release and use (CWE\u2011362).", "risk_and_exploitability": "The CVSS score of 4.7 indicates a medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited real\u2011world exploitation. Exploitation would likely require a race between remotely triggered IPSec offload transactions or privileged network traffic to trigger concurrent access, which is inferred from the description. If exploited, the attacker could cause kernel data corruption, potentially leading to privilege escalation or denial of service. The current impact is limited to improper driver behavior but could evolve into a broader system compromise if memory corruption occurs."}}}}, "created": "2026-04-03T21:13:57.156299+00:00", "updated": "2026-04-28T22:00:14.098777+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}