Home

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-14 | Updated 2026-02-16 | Assigner Linux

Product status

Default status
unaffected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before 2b64015550a13bcc72910be0565548d9a754d46d
affected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before fd8b0900173307039d3a84644c2fee041a7ed4fb
affected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before d8dbdc146e9e9a976931b78715be2e91299049f9
affected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before 11ebafffce31efc6abeb28c509017976fc49f1ca
affected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before 41b86a9ec037bd3435d68dd3692f0891a207e7e7
affected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before 4530f4e4d0e6a207110b0ffed0c911bca43531a4
affected

e48354ce078c079996f89d715dfa44814b4eba01 (git) before 84dc6037390b8607c5551047d3970336cb51ba9a
affected

Default status
affected

3.1
affected

Any version before 3.1
unaffected

5.10.250 (semver)
unaffected

5.15.200 (semver)
unaffected

6.1.163 (semver)
unaffected

6.6.124 (semver)
unaffected

6.12.70 (semver)
unaffected

6.18.10 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/2b64015550a13bcc72910be0565548d9a754d46d

git.kernel.org/...c/fd8b0900173307039d3a84644c2fee041a7ed4fb

git.kernel.org/...c/d8dbdc146e9e9a976931b78715be2e91299049f9

git.kernel.org/...c/11ebafffce31efc6abeb28c509017976fc49f1ca

git.kernel.org/...c/41b86a9ec037bd3435d68dd3692f0891a207e7e7

git.kernel.org/...c/4530f4e4d0e6a207110b0ffed0c911bca43531a4

git.kernel.org/...c/84dc6037390b8607c5551047d3970336cb51ba9a

cve.org (CVE-2026-23193)

nvd.nist.gov (CVE-2026-23193)

Download JSON