2440630 – (CVE-2026-23216) CVE-2026-23216 kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

Bug 2440630 (CVE-2026-23216) - CVE-2026-23216 kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

Summary: CVE-2026-23216 kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_...

Keywords:
Status:	NEW
Alias:	CVE-2026-23216
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-18 15:02 UTC by OSIDB Bzimport
Modified:	2026-02-19 21:36 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-18 15:02:39 UTC

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.

If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.

Fix this by releasing the spinlock before calling complete().

Comment 1 Alexander B 2026-02-18 17:27:55 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021800-CVE-2026-23216-6c63@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.