CVE-2026-23216 Overview
CVE-2026-23216 is a use-after-free vulnerability in the Linux kernel's iSCSI target subsystem, specifically within the iscsit_dec_conn_usage_count() function. The flaw occurs due to improper ordering of operations where complete() is called while still holding the conn->conn_usage_lock spinlock. This race condition allows a waiter thread to free the iscsit_conn structure before the current thread releases the lock, resulting in a KASAN slab-use-after-free when attempting to unlock already-freed memory.
Critical Impact
This use-after-free vulnerability in the Linux kernel iSCSI subsystem could lead to system instability, kernel crashes, or potential privilege escalation in systems utilizing iSCSI storage targets.
Affected Products
- Linux Kernel (multiple stable branches affected)
- Systems running iSCSI target configurations
- Enterprise storage servers utilizing Linux-based iSCSI implementations
Discovery Timeline
- 2026-02-18 - CVE-2026-23216 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23216
Vulnerability Analysis
The vulnerability resides in the iscsit_dec_conn_usage_count() function within the Linux kernel's SCSI target iSCSI subsystem. The core issue stems from a classic use-after-free pattern triggered by incorrect lock ordering relative to synchronization primitives.
When iscsit_dec_conn_usage_count() is invoked, it calls complete() while still holding conn->conn_usage_lock. The complete() function signals a waiter (typically iscsit_close_connection()) that may be blocking on this completion. Once signaled, the waiter immediately proceeds to free the iscsit_conn structure containing the connection state.
However, because the lock is still held by the thread that called complete(), when that thread subsequently attempts to execute spin_unlock_bh() to release conn->conn_usage_lock, it accesses memory within the now-freed connection structure. This triggers a KASAN (Kernel Address Sanitizer) slab-use-after-free detection, indicating memory corruption.
Root Cause
The root cause is improper synchronization ordering in the connection reference counting logic. The spinlock protecting the connection usage count is released after signaling completion, but the completion signal allows another thread to immediately free the protected structure. The fix involves releasing the spinlock before calling complete(), ensuring no further access to the connection structure occurs after signaling.
Attack Vector
This vulnerability can be triggered through normal iSCSI connection teardown operations. An attacker with network access to an iSCSI target service could potentially craft connection sequences that reliably trigger the race condition. The attack surface includes:
- Network-accessible iSCSI target services
- Rapid connection establishment and teardown patterns
- Timing-sensitive operations that exploit the race window between complete() and spin_unlock_bh()
The vulnerability requires network access to the iSCSI target port (typically TCP 3260) and the ability to establish and terminate iSCSI sessions.
Detection Methods for CVE-2026-23216
Indicators of Compromise
- KASAN (Kernel Address Sanitizer) alerts reporting slab-use-after-free in iscsit_dec_conn_usage_count or related iSCSI functions
- Kernel panic or oops messages referencing iSCSI target subsystem spinlock operations
- Unexpected iSCSI target service crashes or kernel-level instability during connection handling
Detection Strategies
- Enable KASAN in development and testing environments to detect use-after-free violations in the iSCSI subsystem
- Monitor kernel logs (dmesg, /var/log/kern.log) for BUG, WARNING, or KASAN reports involving iscsi or target subsystem functions
- Deploy kernel tracing (ftrace, eBPF) on iscsit_dec_conn_usage_count and iscsit_close_connection to identify anomalous call patterns
Monitoring Recommendations
- Implement continuous monitoring of iSCSI target service availability and stability
- Configure alerting for kernel oops or panic events on systems running iSCSI targets
- Track connection establishment and teardown rates to identify potential exploitation attempts through abnormal connection patterns
How to Mitigate CVE-2026-23216
Immediate Actions Required
- Apply kernel patches from the official Linux kernel stable branches immediately
- Restrict network access to iSCSI target services using firewall rules to limit exposure
- Consider temporarily disabling iSCSI target services on non-critical systems until patches are applied
- Enable KASAN in testing environments to validate patch effectiveness
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix involves reordering operations to release conn->conn_usage_lock before calling complete(), preventing access to potentially freed memory.
Official patches are available through the following kernel commits:
- Commit 275016a551ba
- Commit 3835e49e146a
- Commit 48fe983e92de
- Commit 73b487d44bf4
- Commit 8518f072fc92
- Commit 9411a89e9e71
- Commit ba684191437
Workarounds
- Implement network segmentation to restrict access to iSCSI target services from untrusted networks
- Use iptables or nftables firewall rules to limit connections to TCP port 3260 from authorized initiators only
- Deploy intrusion detection systems to monitor for unusual iSCSI connection patterns that may indicate exploitation attempts
# Example: Restrict iSCSI target access to specific initiator networks
iptables -A INPUT -p tcp --dport 3260 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3260 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
