net/mlx5e: Fix race condition during IPSec ESN update

Summary

CVE	CVE-2026-23440
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-03 16:16:26 UTC
Updated	2026-04-07 13:21:09 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock. So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished. Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic. Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.

Risk And Classification

EPSS: 0.000180000 probability, percentile 0.046140000 (date 2026-04-07)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected fef06678931ff67b158d337b581e5cf5ca40a3a3 3dffc083292e6872787bd7e34b957627622f9af4 git	Not specified
CNA	Linux	Linux	affected fef06678931ff67b158d337b581e5cf5ca40a3a3 2051c709dce92da3550040aa7949cd5a9c89b14e git	Not specified
CNA	Linux	Linux	affected fef06678931ff67b158d337b581e5cf5ca40a3a3 96c9c25b74686ac2de15921c9ad30c5ef13af8cd git	Not specified
CNA	Linux	Linux	affected fef06678931ff67b158d337b581e5cf5ca40a3a3 8d625c15471fb8780125eaef682983a96af77bdc git	Not specified
CNA	Linux	Linux	affected fef06678931ff67b158d337b581e5cf5ca40a3a3 beb6e2e5976a128b0cccf10d158124422210c5ef git	Not specified
CNA	Linux	Linux	affected 6.4	Not specified
CNA	Linux	Linux	unaffected 6.4 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.20 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.10 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0-rc5 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/3dffc083292e6872787bd7e34b957627622f9af4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/96c9c25b74686ac2de15921c9ad30c5ef13af8cd	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/beb6e2e5976a128b0cccf10d158124422210c5ef	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8d625c15471fb8780125eaef682983a96af77bdc	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2051c709dce92da3550040aa7949cd5a9c89b14e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.