CVE-2026-23393— bridge: cfm: Fix race condition in peer_mep deletion
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23393
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
bridge: cfm: Fix race condition in peer_mep deletion
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called. The following is a simple race scenario: cpu0 cpu1 mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep still in hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // on freed peer_mep To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync() in both peer MEP deletion paths, so that subsequent queue_delayed_work() calls from br_cfm_frame_rx() are silently rejected. The cc_peer_disable() helper retains cancel_delayed_work_sync() because it is also used for the CC enable/disable toggle path where the work must remain re-schedulable.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于竞争条件,可能导致使用已释放对象。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23393
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23393
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-03-25 · 116 CVEs total
| CVE-2026-23395 | 8.8 HIGH | Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ |
| CVE-2026-31788 | 8.2 HIGH | xen/privcmd: restrict usage in unprivileged domU |
| CVE-2026-23340 | 7.8 HIGH | net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs |
| CVE-2026-23336 | 7.8 HIGH | wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() |
| CVE-2026-23350 | 7.8 HIGH | drm/xe/queue: Call fini on exec queue creation fail |
| CVE-2026-23351 | 7.8 HIGH | netfilter: nft_set_pipapo: split gc into unlink and reclaim phase |
| CVE-2026-23317 | 7.8 HIGH | drm/vmwgfx: Return the correct value in vmw_translate_ptr functions |
| CVE-2026-23306 | 7.8 HIGH | scsi: pm8001: Fix use-after-free in pm8001_queue_command() |
| CVE-2026-23372 | 7.8 HIGH | nfc: rawsock: cancel tx_work before socket teardown |
| CVE-2026-23378 | 7.8 HIGH | net/sched: act_ife: Fix metalist update behavior |
| CVE-2026-23383 | 7.8 HIGH | bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing |
| CVE-2026-23391 | 7.8 HIGH | netfilter: xt_CT: drop pending enqueued packets on template removal |
| CVE-2026-23392 | 7.8 HIGH | netfilter: nf_tables: release flowtable after rcu grace period on error |
| CVE-2026-23288 | 7.8 HIGH | accel/amdxdna: Fix out-of-bounds memset in command slot handling |
| CVE-2026-23280 | 7.8 HIGH | accel/amdxdna: Prevent ubuf size overflow |
| CVE-2026-23364 | 7.4 HIGH | ksmbd: Compare MACs in constant time |
| CVE-2026-23294 | 7.0 HIGH | bpf: Fix race in devmap on PREEMPT_RT |
| CVE-2026-23354 | x86/fred: Correct speculative safety in fred_extint() | |
| CVE-2026-23356 | drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() | |
| CVE-2026-23352 | x86/efi: defer freeing of boot services memory |
Showing top 20 of 116 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2026-23393
No comments yet