The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23393

CVE-2026-23393: Linux Kernel Race Condition Vulnerability

CVE-2026-23393 is a race condition vulnerability in the Linux kernel bridge CFM component affecting peer MEP deletion. This security flaw can cause use-after-free conditions. This article covers technical details, impact, and fixes.

Published: March 27, 2026

CVE-2026-23393 Overview

A race condition vulnerability has been identified in the Linux kernel's bridge Connectivity Fault Management (CFM) subsystem. The flaw exists in the peer MEP (Maintenance End Point) deletion process, where improper synchronization between the deletion routine and frame reception can lead to use-after-free conditions. When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing the structure. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called.

Critical Impact

This race condition can result in use-after-free access when the delayed work executes on a freed peer_mep structure, potentially leading to kernel memory corruption, denial of service, or privilege escalation.

Affected Products

  • Linux kernel (bridge CFM subsystem)
  • Systems utilizing bridge connectivity fault management features
  • Network infrastructure components running affected kernel versions

Discovery Timeline

  • 2026-03-25 - CVE CVE-2026-23393 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-23393

Vulnerability Analysis

This vulnerability is classified as a Race Condition and Use After Free in the Linux kernel bridge CFM module. The issue arises from improper synchronization in the mep_delete_implementation() function when deleting peer MEP structures. The race window exists because frame reception processing in br_cfm_frame_rx() operates under RCU read lock without RTNL protection, allowing concurrent access to the peer MEP structure during the deletion sequence.

The fundamental problem is that cancel_delayed_work_sync() only cancels pending or running work, but does not prevent the work from being re-queued after it returns. When br_cfm_frame_rx() processes a CCM frame and detects the peer MEP is still present in the hash list (before hlist_del_rcu() executes), it can call ccm_rx_timer_start() which queues the delayed work again. This newly queued work will then execute after kfree_rcu() has freed the peer MEP structure, resulting in a use-after-free condition.

Root Cause

The root cause is the use of cancel_delayed_work_sync() in the peer MEP deletion path, which only cancels existing scheduled work but does not prevent subsequent re-scheduling. The br_cfm_frame_rx() function runs in softirq context and can re-arm the ccm_rx_dwork delayed work after the cancellation but before the RCU-protected free operation completes. The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in both peer MEP deletion paths, which prevents any subsequent queue_delayed_work() calls from succeeding.

Attack Vector

The attack vector involves triggering the race condition between peer MEP deletion operations and CFM frame reception processing. An attacker would need to:

  1. Identify a system using the Linux kernel bridge CFM functionality
  2. Generate CFM CCM frames targeting a peer MEP that is being deleted
  3. Time the frame transmission to arrive between cancel_delayed_work_sync() completion and kfree_rcu() execution
  4. The ccm_rx_work_expired() callback will then operate on freed memory

The race scenario as documented in the kernel patch demonstrates the timing window:

On CPU0, mep_delete_implementation() calls cancel_delayed_work_sync(ccm_rx_dwork). Before CPU0 can execute hlist_del_rcu() and kfree_rcu(), CPU1 processes br_cfm_frame_rx(), finds the peer_mep still in the hash list, and if peer_mep->ccm_defect is set, calls ccm_rx_timer_start() which re-queues the delayed work. CPU0 then completes the deletion and frees the structure. Subsequently, ccm_rx_work_expired() runs on CPU1, accessing the freed peer_mep structure.

Detection Methods for CVE-2026-23393

Indicators of Compromise

  • Kernel oops or panic messages referencing ccm_rx_work_expired or bridge CFM functions
  • Slab corruption warnings related to network subsystem structures
  • Unexpected system crashes or hangs when network bridge CFM operations are active
  • KASAN (Kernel Address Sanitizer) reports indicating use-after-free in bridge CFM code

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) in development/test environments to detect use-after-free conditions
  • Monitor kernel logs for oops or BUG() messages involving br_cfm or ccm_rx function names
  • Deploy kernel tracing to monitor delayed work queue operations on systems using bridge CFM
  • Implement system monitoring for unexpected kernel crashes correlating with CFM traffic patterns

Monitoring Recommendations

  • Configure dmesg log forwarding to a central SIEM for kernel message analysis
  • Enable slab debugging (CONFIG_DEBUG_SLAB) on non-production systems to detect memory corruption
  • Monitor system stability metrics on hosts running bridge CFM configurations
  • Set up alerts for kernel oops events, particularly those involving network bridge components

How to Mitigate CVE-2026-23393

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the fix
  • Review systems for bridge CFM usage and prioritize patching for affected hosts
  • Consider temporarily disabling CFM functionality on critical systems until patches can be applied
  • Monitor affected systems for signs of exploitation or instability

Patch Information

The fix has been committed to the stable Linux kernel tree. The patch replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in the peer MEP deletion paths, ensuring that subsequent queue_delayed_work() calls from br_cfm_frame_rx() are silently rejected rather than re-scheduling work on a structure about to be freed. The cc_peer_disable() helper retains cancel_delayed_work_sync() because it is used for the CC enable/disable toggle path where the work must remain re-schedulable.

Kernel patches are available via:

  • Kernel Git Commit 1fd81151f659
  • Kernel Git Commit 3715a0085531
  • Kernel Git Commit d8f35767bacb
  • Kernel Git Commit e89dbd2736a4

Workarounds

  • Disable bridge CFM functionality if not required for operations
  • Restrict access to systems using bridge CFM to trusted network segments
  • Implement network segmentation to limit exposure of systems running affected configurations
  • Apply kernel live patching solutions if available for your distribution
bash
# Check if bridge CFM module is loaded
lsmod | grep br_netfilter
# Review bridge configuration for CFM usage
bridge link show
# Disable CFM on bridge interface if not needed (example)
# Consult your distribution documentation for proper bridge CFM configuration

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRace Condition
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit Update
  • Kernel Git Commit Update
  • Kernel Git Commit Update
  • Kernel Git Commit Update
  • Related CVEs
  • CVE-2026-23411: Linux Kernel Race Condition Vulnerability
  • CVE-2026-23410: Linux Kernel Race Condition Vulnerability
  • CVE-2026-23400: Linux Kernel Race Condition Vulnerability
  • CVE-2026-23356: Linux Kernel Race Condition Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English