CVE-2026-23193
Published: February 14, 2026· Updated: Feb 18, 2026
Official Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
Technical Analysis
CVE-2026-23193 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
Affected Vendors & Products
Exploit & PoC Resources
All References (7)
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-23193 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts