CVE-2026-23240

In the Linux kernel, the following vulnerability has been resolved:

tls: Fix race condition in tlsswcancelworktx()

This issue was discovered during a code audit.

After canceldelayedworksync() is called from tlsskprotoclose(), txworkhandler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the txworkhandler() worker may dereference a freed TLS object.

The following is a simple race scenario:

      cpu0                         cpu1

tlsskprotoclose() tlsswcancelworktx() tlswritespace() tlsswwritespace() if (!testandsetbit(BITTXSCHEDULED, &txctx->txbitmask)) setbit(BITTXSCHEDULED, &ctx->txbitmask); canceldelayedworksync(&ctx->txwork.work); scheduledelayedwork(&txctx->tx_work.work, 0);

To prevent this race condition, canceldelayedworksync() is replaced with disabledelayedworksync().