CVE-2026-23441 (GCVE-0-2026-23441)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-04-13 06:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped context for all ASO operations. A race condition exists because the ASO spinlock is released before the hardware has finished processing WQE. If a second operation is initiated immediately after, it overwrites the shared context in the DMA area. When the first operation's completion is processed later, it reads this corrupted context, leading to unexpected behavior and incorrect results. This commit fixes the race by introducing a private context within each IPSec offload object. The shared ASO context is now copied to this private context while the ASO spinlock is held. Subsequent processing uses this saved, per-object context, ensuring its integrity is maintained.
References
Impacted products
Vendor Product Version
Linux Linux Version: 1ed78fc033074c55221a80498204c539a3696877
Version: 1ed78fc033074c55221a80498204c539a3696877
Version: 1ed78fc033074c55221a80498204c539a3696877
Version: 1ed78fc033074c55221a80498204c539a3696877
Version: 1ed78fc033074c55221a80498204c539a3696877
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h",
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99aaee927800ea00b441b607737f9f67b1899755",
              "status": "affected",
              "version": "1ed78fc033074c55221a80498204c539a3696877",
              "versionType": "git"
            },
            {
              "lessThan": "c3db55dc0f3344b62da25b025a8396d78763b5fa",
              "status": "affected",
              "version": "1ed78fc033074c55221a80498204c539a3696877",
              "versionType": "git"
            },
            {
              "lessThan": "2c6a5be0aee5a44066f68a332c30650900e32ad4",
              "status": "affected",
              "version": "1ed78fc033074c55221a80498204c539a3696877",
              "versionType": "git"
            },
            {
              "lessThan": "6834d196107d5267dcad31b44211da7698e8f618",
              "status": "affected",
              "version": "1ed78fc033074c55221a80498204c539a3696877",
              "versionType": "git"
            },
            {
              "lessThan": "99b36850d881e2d65912b2520a1c80d0fcc9429a",
              "status": "affected",
              "version": "1ed78fc033074c55221a80498204c539a3696877",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h",
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent concurrent access to IPSec ASO context\n\nThe query or updating IPSec offload object is through Access ASO WQE.\nThe driver uses a single mlx5e_ipsec_aso struct for each PF, which\ncontains a shared DMA-mapped context for all ASO operations.\n\nA race condition exists because the ASO spinlock is released before\nthe hardware has finished processing WQE. If a second operation is\ninitiated immediately after, it overwrites the shared context in the\nDMA area.\n\nWhen the first operation\u0027s completion is processed later, it reads\nthis corrupted context, leading to unexpected behavior and incorrect\nresults.\n\nThis commit fixes the race by introducing a private context within\neach IPSec offload object. The shared ASO context is now copied to\nthis private context while the ASO spinlock is held. Subsequent\nprocessing uses this saved, per-object context, ensuring its integrity\nis maintained."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:07:31.326Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99aaee927800ea00b441b607737f9f67b1899755"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3db55dc0f3344b62da25b025a8396d78763b5fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c6a5be0aee5a44066f68a332c30650900e32ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6834d196107d5267dcad31b44211da7698e8f618"
        },
        {
          "url": "https://git.kernel.org/stable/c/99b36850d881e2d65912b2520a1c80d0fcc9429a"
        }
      ],
      "title": "net/mlx5e: Prevent concurrent access to IPSec ASO context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23441",
    "datePublished": "2026-04-03T15:15:25.380Z",
    "dateReserved": "2026-01-13T15:37:46.017Z",
    "dateUpdated": "2026-04-13T06:07:31.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.