Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Race condition in Linux kernel bridge CFM peer_mep deletion

IdentifiersCVE-2026-23393CWE-362· Concurrent Execution using Shared…

CVE-2026-23393 is a race condition in the Linux kernel bridge Connectivity Fault Management (CFM) code during peer MEP deletion. When a peer MEP is deleted, the kernel called cancel_delayed_work_sync() on ccm_rx_dwork before freeing the object. However, br_cfm_frame_rx() executes in softirq context under rcu_read_lock() without RTNL and can reschedule ccm_rx_dwork via ccm_rx_timer_start() after cancel_delayed_work_sync() returns but before hlist_del_rcu() and kfree_rcu() complete. This creates a window where delayed work can later run in ccm_rx_work_expired() against a freed peer_mep object, resulting in a use-after-free condition. The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in both peer MEP deletion paths so subsequent queue_delayed_work() attempts from br_cfm_frame_rx() are rejected during deletion. The cc_peer_disable() helper intentionally retains cancel_delayed_work_sync() because it is also used for the CC enable/disable toggle path where rescheduling must remain possible.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause kernel memory corruption through use-after-free of a peer_mep object in the bridge CFM subsystem. Published assessments indicate high impact to confidentiality, integrity, and availability of the vulnerable system. Depending on exploitation conditions, this could lead to kernel crash or denial of service, arbitrary code execution in kernel context, or other privilege-compromising effects associated with kernel UAF conditions.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or avoiding use of the Linux bridge CFM functionality and deleting or reconfiguring affected peer MEP objects only during controlled maintenance windows. Limit local access and administrative capabilities to trusted users because published scoring indicates local attack vector and low privileges. These are temporary risk-reduction measures only; no complete mitigation is available short of deploying a fixed kernel.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the bridge CFM fix for CVE-2026-23393. The upstream remediation is to replace cancel_delayed_work_sync() with disable_delayed_work_sync() in both peer MEP deletion paths so delayed work cannot be re-queued after deletion begins. SUSE indicates fixed packages include, for example, kernel-default 6.12.0-160000.28.1 or later for SLES 16.0 / SLE Micro 6.2 and kernel-default 6.4.0-46.1 or later for SLE Micro 6.0 and 6.1; product-specific package status should be verified for the deployed distribution and kernel flavor. Reboot after installing the updated kernel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

8 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23393
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23393
MITRE CWE · CWE-362
Concurrent Execution using Shared Resource…
Patch
git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab
Patch
git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127
Patch
git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70
Patch
git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146