CVE-2026-23239

In the Linux kernel, the following vulnerability has been resolved:

espintcp: Fix race condition in espintcp_close()

This issue was discovered during a code audit.

After cancelworksync() is called from espintcpclose(), espintcptxwork() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcptx_work() worker may dereference a freed espintcp ctx or sk.

The following is a simple race scenario:

       cpu0                             cpu1

espintcpclose() cancelworksync(&ctx->work); espintcpwritespace() schedulework(&ctx->work);

To prevent this race condition, cancelworksync() is replaced with disableworksync().