HOMEVULNERABILITIESCVE-2026-23440
NONE

CVE-2026-23440

Published: April 3, 2026· Updated: Apr 7, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix race condition during IPSec ESN update

In IPSec full offload mode, the device reports an ESN (Extended

Sequence Number) wrap event to the driver. The driver validates this

event by querying the IPSec ASO and checking that the esn_event_arm

field is 0x0, which indicates an event has occurred. After handling

the event, the driver must re-arm the context by setting esn_event_arm

back to 0x1.

A race condition exists in this handling path. After validating the

event, the driver calls mlx5_accel_esp_modify_xfrm() to update the

kernel's xfrm state. This function temporarily releases and

re-acquires the xfrm state lock.

So, need to acknowledge the event first by setting esn_event_arm to

0x1. This prevents the driver from reprocessing the same ESN update if

the hardware sends events for other reason. Since the next ESN update

only occurs after nearly 2^31 packets are received, there's no risk of

missing an update, as it will happen long after this handling has

finished.

Processing the event twice causes the ESN high-order bits (esn_msb) to

be incremented incorrectly. The driver then programs the hardware with

this invalid ESN state, which leads to anti-replay failures and a

complete halt of IPSec traffic.

Fix this by re-arming the ESN event immediately after it is validated,

before calling mlx5_accel_esp_modify_xfrm(). This ensures that any

spurious, duplicate events are correctly ignored, closing the race

window.

NVD Source

Technical Analysis

CVE-2026-23440 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-23440
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23440 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.