{
  "threat_severity" : "Moderate",
  "public_date" : "2026-02-14T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()",
    "id" : "2439887",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439887"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-364",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()\nIn iscsit_dec_session_usage_count(), the function calls complete() while\nholding the sess->session_usage_lock. Similar to the connection usage count\nlogic, the waiter signaled by complete() (e.g., in the session release\npath) may wake up and free the iscsit_session structure immediately.\nThis creates a race condition where the current thread may attempt to\nexecute spin_unlock_bh() on a session structure that has already been\ndeallocated, resulting in a KASAN slab-use-after-free.\nTo resolve this, release the session_usage_lock before calling complete()\nto ensure all dereferences of the sess pointer are finished before the\nwaiter is allowed to proceed with deallocation." ],
  "statement" : "A use after free can occur in the iSCSI target session usage count logic because iscsit_dec_session_usage_count can call complete while holding session_usage_lock. A waiting thread in the session release path can wake up and free the session structure immediately after the completion is signaled. The current thread may then attempt to unlock or otherwise access fields in a session object that has already been deallocated which can trigger a slab use after free and crash the kernel. The attack surface is adjacent network because iSCSI targets are typically reachable only inside storage or data center networks. Impact can be denial of service. A conservative assessment also considers potential confidentiality and integrity impact due to kernel memory corruption from a use after free.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-06T00:00:00Z",
    "advisory" : "RHSA-2026:6632",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.49.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-06T00:00:00Z",
    "advisory" : "RHSA-2026:6572",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.117.1.rt7.458.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-06T00:00:00Z",
    "advisory" : "RHSA-2026:6571",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.117.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6153",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.45.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6153",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.45.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23193\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23193\nhttps://lore.kernel.org/linux-cve-announce/2026021434-CVE-2026-23193-2c6c@gregkh/T" ],
  "name" : "CVE-2026-23193",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module iscsi_target_mod from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}