{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bridge: cfm: Fix race condition in peer_mep deletion",
    "id" : "2451260",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451260"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbridge: cfm: Fix race condition in peer_mep deletion\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\nThe following is a simple race scenario:\ncpu0                                     cpu1\nmep_delete_implementation()\ncancel_delayed_work_sync(ccm_rx_dwork);\nbr_cfm_frame_rx()\n// peer_mep still in hlist\nif (peer_mep->ccm_defect)\nccm_rx_timer_start()\nqueue_delayed_work(ccm_rx_dwork)\nhlist_del_rcu(&peer_mep->head);\nkfree_rcu(peer_mep, rcu);\nccm_rx_work_expired()\n// on freed peer_mep\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable.", "A flaw was found in the Linux kernel's bridge Connectivity Fault Management (CFM) component. A race condition can occur during the deletion of a peer Maintenance Entity Group End Point (MEP). This allows the `br_cfm_frame_rx()` function to re-schedule a delayed work on a MEP object after it has been marked for deletion but before it is fully freed. This may lead to a use-after-free vulnerability, potentially causing a denial of service or arbitrary code execution." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23393\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23393\nhttps://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-23393-c395@gregkh/T" ],
  "name" : "CVE-2026-23393",
  "csaw" : false
}