Bug 2439887 (CVE-2026-23193) - CVE-2026-23193 kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
Summary: CVE-2026-23193 kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_...
Keywords:
Status: NEW
Alias: CVE-2026-23193
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-14 17:01 UTC by OSIDB Bzimport
Modified: 2026-04-06 07:50 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:6153 0 None None None 2026-03-30 11:06:28 UTC
Red Hat Product Errata RHSA-2026:6571 0 None None None 2026-04-06 01:44:45 UTC
Red Hat Product Errata RHSA-2026:6572 0 None None None 2026-04-06 01:31:24 UTC
Red Hat Product Errata RHSA-2026:6632 0 None None None 2026-04-06 07:50:01 UTC

Description OSIDB Bzimport 2026-02-14 17:01:32 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()

In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.

This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.

To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
Comment 1 Alexander B 2026-02-16 14:32:17 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021434-CVE-2026-23193-2c6c@gregkh/T
Comment 5 errata-xmlrpc 2026-03-30 11:06:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:6153 https://access.redhat.com/errata/RHSA-2026:6153
Comment 6 errata-xmlrpc 2026-04-06 01:31:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6572 https://access.redhat.com/errata/RHSA-2026:6572
Comment 7 errata-xmlrpc 2026-04-06 01:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6571 https://access.redhat.com/errata/RHSA-2026:6571
Comment 8 errata-xmlrpc 2026-04-06 07:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:6632 https://access.redhat.com/errata/RHSA-2026:6632
Note You need to log in before you can comment on or make changes to this bug.