CVE-2026-23440 Overview
A race condition vulnerability has been identified in the Linux kernel's mlx5e network driver, specifically within the IPSec Extended Sequence Number (ESN) handling mechanism. The vulnerability occurs during IPSec full offload mode when the device reports an ESN wrap event to the driver. Due to improper synchronization in the event handling path, the driver can process the same ESN update event multiple times, leading to corruption of the ESN state and subsequent IPSec traffic disruption.
Critical Impact
Successful exploitation causes ESN high-order bits (esn_msb) to be incremented incorrectly, leading to anti-replay failures and a complete halt of IPSec traffic on affected systems.
Affected Products
- Linux kernel with mlx5e network driver
- Systems using Mellanox/NVIDIA ConnectX network adapters with IPSec full offload enabled
- Enterprise Linux distributions using affected kernel versions
Discovery Timeline
- April 3, 2026 - CVE CVE-2026-23440 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23440
Vulnerability Analysis
The vulnerability exists in the IPSec ESN event handling code path of the mlx5e driver. In IPSec full offload mode, hardware reports ESN wrap events to the driver when the sequence number approaches its maximum value. The driver validates these events by querying the IPSec ASO (Advanced Software Offload) and checking that the esn_event_arm field is set to 0x0, indicating a legitimate event has occurred.
After validation, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. However, this function temporarily releases and re-acquires the xfrm state lock, creating a race window. During this window, if the hardware sends additional events (for any reason), the driver may reprocess the same ESN update before the original handling completes.
This double-processing causes the ESN high-order bits to be incremented twice instead of once. The corrupted ESN state is then programmed into the hardware, causing anti-replay validation failures for legitimate IPSec packets.
Root Cause
The root cause is improper ordering of the event acknowledgment and state modification operations. The driver validates the ESN event and then proceeds to modify the xfrm state before re-arming the event context (setting esn_event_arm back to 0x1). The temporary release of the xfrm state lock during mlx5_accel_esp_modify_xfrm() allows the race condition to occur.
The fix reorders these operations: the driver now re-arms the ESN event immediately after validation and before calling mlx5_accel_esp_modify_xfrm(). Since the next legitimate ESN update only occurs after approximately 2^31 packets are received, there is no risk of missing an actual update event.
Attack Vector
This is a local race condition vulnerability that can be triggered under specific conditions:
The vulnerability manifests when IPSec full offload mode is enabled on Mellanox/NVIDIA ConnectX network adapters. The race window opens when the xfrm state lock is temporarily released during event handling. While the exact attack vector is classified as unknown, the vulnerability could potentially be exploited by an attacker who can control or influence network traffic timing to trigger hardware ESN events during the vulnerable window. The impact is a denial of service condition where all IPSec traffic ceases to function due to anti-replay failures.
Detection Methods for CVE-2026-23440
Indicators of Compromise
- Unexpected IPSec anti-replay failures appearing in kernel logs
- Sudden cessation of IPSec-protected network traffic
- Log entries indicating ESN synchronization errors in mlx5e driver
Detection Strategies
- Monitor kernel logs for mlx5e driver errors related to IPSec or ESN handling
- Track IPSec SA (Security Association) statistics for unexpected anti-replay counter anomalies
- Implement alerting on sudden drops in IPSec tunnel throughput or connectivity
Monitoring Recommendations
- Enable detailed logging for the mlx5e network driver subsystem
- Monitor system journals for xfrm state modification errors
- Implement network monitoring to detect IPSec tunnel failures
How to Mitigate CVE-2026-23440
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Review network infrastructure using Mellanox/NVIDIA ConnectX adapters with IPSec offload
- Consider temporarily disabling IPSec hardware offload until patches are applied
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix reorders the ESN event handling to re-arm the event context immediately after validation, closing the race window. Multiple kernel commits address this issue across different kernel branches:
- Kernel Git Commit Update
- Kernel Git Commit Fix
- Kernel Git Commit Changes
- Kernel Git Commit Improvements
- Kernel Git Commit Enhancement
Workarounds
- Disable IPSec hardware offload by using software-based IPSec processing until patching is possible
- Configure kernel module parameters to disable mlx5e IPSec offload functionality
- Implement network segmentation to reduce reliance on affected IPSec tunnels
# Disable mlx5e IPSec offload (temporary workaround)
# Add to /etc/modprobe.d/mlx5.conf
options mlx5_core ipsec_offload=0
# Reload the module or reboot for changes to take effect
modprobe -r mlx5_core && modprobe mlx5_core
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
