FKIE_CVE-2026-23216

Vulnerability from fkie_nvd - Published: 2026-02-18 15:18 - Updated: 2026-02-18 17:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/275016a551ba1a068a3bd6171b18611726b67110
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3835e49e146a4e6e7787b29465f1a23379b6ec44
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/48fe983e92de2c59d143fe38362ad17ba23ec7f3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/73b487d44bf4f92942629d578381f89c326ff77f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8518f072fc92921418cd9ed4268dd4f3e9a8fd75
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9411a89e9e7135cc459178fa77a3f1d6191ae903
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba684191437380a07b27666eb4e72748be1ea201
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()\n\nIn iscsit_dec_conn_usage_count(), the function calls complete() while\nholding the conn-\u003econn_usage_lock. As soon as complete() is invoked, the\nwaiter (such as iscsit_close_connection()) may wake up and proceed to free\nthe iscsit_conn structure.\n\nIf the waiter frees the memory before the current thread reaches\nspin_unlock_bh(), it results in a KASAN slab-use-after-free as the function\nattempts to release a lock within the already-freed connection structure.\n\nFix this by releasing the spinlock before calling complete()."
    }
  ],
  "id": "CVE-2026-23216",
  "lastModified": "2026-02-18T17:51:53.510",
  "metrics": {},
  "published": "2026-02-18T15:18:42.957",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/275016a551ba1a068a3bd6171b18611726b67110"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3835e49e146a4e6e7787b29465f1a23379b6ec44"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/48fe983e92de2c59d143fe38362ad17ba23ec7f3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/73b487d44bf4f92942629d578381f89c326ff77f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8518f072fc92921418cd9ed4268dd4f3e9a8fd75"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9411a89e9e7135cc459178fa77a3f1d6191ae903"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ba684191437380a07b27666eb4e72748be1ea201"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.