The Linux kernel has carried a flaw in its TLS layer for years, now resolved under the identifier CVE-2026-23240. It’s a use-after-free triggered by a race condition, rated 9.8 out of 10 on the CVSS scale according to kernel.org. That puts it squarely in critical territory.
What actually happens
The kernel TLS subsystem (kTLS) offloads TLS encryption into the kernel itself, skipping a user-space library. Part of that transmit work runs as a delayed work item called tx_work_handler(), which lives in net/tls/tls_sw.c.
When a socket closes, tls_sk_proto_close() calls tls_sw_cancel_work_tx(), which in turn uses cancel_delayed_work_sync() to cancel that pending work before the TLS object is freed. The trouble is that this cancellation doesn’t stop the work from being scheduled again afterward. Paths such as the Delayed ACK handler or ksoftirqd can re-trigger scheduling through tls_write_space() → tls_sw_write_space(). That function sets the BIT_TX_SCHEDULED bit and calls schedule_delayed_work().
The result is a window where cancel_delayed_work_sync() has already returned, the TLS object gets freed, and a worker later runs against that memory. It dereferences something that no longer exists. That’s a textbook use-after-free, and it can lead to kernel memory corruption or a full system crash.
Who’s affected
Any machine running a kernel that uses kTLS and opens and closes kernel-accelerated TLS connections. The affected range is wide:
- 5.3 through 6.12.74.
- 6.13 through 6.18.15.
- 6.19 through 6.19.5.
In short, nearly any modern unpatched kernel. Servers that terminate TLS with kernel offload, load balancers, and boxes under heavy network load are the most exposed to the race firing in production.
How serious it is
The CVSS vector (AV:N/AC:L/PR:N/UI:N) says the problem is reachable over the network, with no prior privileges and no user interaction. A race condition is by nature hard to trigger reliably, but the impact when it does fire is real: loss of system integrity and availability, plus the chance to corrupt kernel structures. Hence the high score.
Mitigation
The fix is small and clean: cancel_delayed_work_sync() is replaced with disable_delayed_work_sync(). The difference is that disable_delayed_work_sync() also marks the work as disabled, so any later attempt to reschedule it has no effect. That closes the race window at its root.
There’s no setting you can toggle to avoid this without patching: update the kernel to a fixed release (6.12.75 or later on stable, 6.18.16+, 6.19.6+, as appropriate) and reboot. If you run a distribution, wait for your vendor’s package and apply it; many also offer livepatch to skip the reboot. Check the Linux kernel page to place your version.