{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23296", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:53.509Z", "dateUpdated": "2026-03-25T10:26:53.509Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:53.509Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_scan.c"], "versions": [{"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "9f5e4abed9248448aa1b45b12ab0bea4d329b56a", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "7c01b680beaf4d3143866b062b8e770e8b237fb8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "ec5c17c687b189dbc09dfdec11b669caa40bc395", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "944a333c8e4d42256556c1d2ebb6d773a33e0dcd", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "a03d96598d39fdf605d90731db3ef3b13fb8bdc8", "status": "affected", "versionType": "git"}, {"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506", "lessThan": "1ac22c8eae81366101597d48360718dff9b9d980", "status": "affected", "versionType": "git"}, {"version": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f", "status": "affected", "versionType": "git"}, {"version": "f818708eeeae793e12dc39f8984ed7732048a7d9", "status": "affected", "versionType": "git"}, {"version": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_scan.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.223"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.164"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"}, {"url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"}, {"url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"}, {"url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"}, {"url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"}, {"url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"}], "title": "scsi: core: Fix refcount leak for tagset_refcnt", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"}], "id": "CVE-2026-23296", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:24.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: scsi: core: Fix refcount leak for tagset_refcnt", "id": "2451174", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451174"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's SCSI core. A reference count leak, a type of resource management issue, occurs when tearing down a SCSI host due to an error in the `tagset_refcnt` mechanism. This can cause the system to hang, leading to a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-23296", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23296\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23296\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23296-eb4a@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,9f5e4abed9248448aa1b45b12ab0bea4d329b56a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,7c01b680beaf4d3143866b062b8e770e8b237fb8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,ec5c17c687b189dbc09dfdec11b669caa40bc395)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,944a333c8e4d42256556c1d2ebb6d773a33e0dcd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,a03d96598d39fdf605d90731db3ef3b13fb8bdc8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8fe4ce5836e932f5766317cb651c1ff2a4cd0506,1ac22c8eae81366101597d48360718dff9b9d980)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f818708eeeae793e12dc39f8984ed7732048a7d9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T03:52:18.327440+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that contains the refcount leak fix, as referenced by the kernel commit URLs in the CVE record.", "Restart any SCSI\u2011related services, such as iscsid, after applying the update to clear stale state.", "Avoid performing SCSI host teardown operations until the kernel upgrade has been applied, if an immediate update is not possible.", "Monitor kernel logs for scsi_alloc_sdev or scsi_remove_host failures and investigate suspensions that may indicate a hang."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via kernel hang"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all Linux kernel implementations that have not incorporated the commit referenced in the kernel patch links. The CNA list identifies the affected product as Linux Linux; no specific minor or major version numbers are listed, so any kernel before the patch could be impacted.", "description_and_impact": "A reference count leak in the Linux kernel's SCSI core causes a half\u2011open loop when a SCSI host is torn down, leading the system to hang. The provided call trace shows the iscsid daemon stalling during scsi_remove_host, disabling any service that relies on SCSI. The issue does not expose data but results in a denial of service that can impair essential network or storage operations.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while the EPSS score below 1% suggests exploitation is unlikely in the wild. The flaw is not included in CISA\u2019s KEV catalog. Based on the context that the hang occurs during scsi_remove_host, it is inferred that the attack vector is local or privileged, requiring root or system\u2011service privileges to trigger the teardown operation."}}}}, "created": "2026-03-25T21:15:34.342014+00:00", "updated": "2026-03-26T12:17:00.217875+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}