What is CVE-2026-23120?

A medium-severity vulnerability has been identified in the Linux kernel related to data-race conditions in l2tp_tunnel_del_work(). Organizations using affected versions should prioritize patching to prevent potential availability issues.

What is the severity of CVE-2026-23120?

CVE-2026-23120 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2026-23120 | Medium Vulnerability in Linux Kernel

In the Linux kernel, a medium-severity vulnerability has been identified. This vulnerability allows the exploitation of data-race conditions in the l2tp_tunnel_del_work() function. The CVSS score is 5.5, indicating a medium level of severity. The vulnerability could lead to availability issues, which may impact organizations relying on affected systems. Therefore, organizations should prioritize patching immediately.

The vulnerability was published on February 14, 2026, and has been analyzed thoroughly. The urgency for defenders is high due to the potential impact on system availability, which underscores the need for immediate action.

Current exploitation status indicates no known public exploits or active exploitation in the wild. However, organizations should remain vigilant and apply the necessary patches as soon as they are available.

To mitigate this vulnerability effectively, organizations must ensure their systems are updated to the latest patched versions of the Linux kernel.

Vulnerability Details

The official description states that the vulnerability allows for a data-race condition in l2tp_tunnel_del_work(). The reported data race occurs when the sk->sk_socket is accessed incorrectly, which can lead to unexpected behavior in the kernel.

This vulnerability has a CVSS score of 5.5, which classifies it as medium severity. The affected product is the Linux kernel, with the publication date being February 14, 2026.

Technical Analysis

The root cause of this vulnerability arises from improper handling of socket data in the l2tp subsystem. The attack vector is local, meaning that an attacker must have local access to exploit this vulnerability. The attack complexity is low, and low privileges are required to exploit it, with no user interaction necessary.

The impact of this vulnerability primarily affects availability, as it can lead to system crashes or unexpected behavior due to the data-race condition.

Risk & Impact Analysis

Organizations using affected versions of the Linux kernel face real-world deployment risks, particularly in environments where high availability is crucial. The blast radius potential is significant, as a successful exploit can disrupt services and lead to downtime.

The urgency assessment is moderate; while there is no active exploitation reported, organizations should still prioritize patching this vulnerability due to its potential impact on availability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of the Linux kernel include versions from 3.16.57 to below 3.17, 4.15.8 to below 4.16, 4.16.1 to below 5.10.249, 5.11 to below 5.15.199, 5.16 to below 6.1.162, 6.2 to below 6.6.122, 6.7 to below 6.12.68, and 6.13 to below 6.18.8.

Mitigation & Remediation

Organizations should ensure they apply the latest patches released by the Linux kernel team. The remediation priority is medium, and administrators should verify their systems are running the latest stable versions to mitigate the risk associated with this vulnerability. If patches are not immediately available, organizations may consider implementing additional monitoring and network controls to limit exposure.

For further guidance, organizations can refer to our penetration testing services for a comprehensive assessment of their security posture.

Detection Guidance

Organizations should monitor logs for indicators of abnormal socket behavior, specifically in the l2tp subsystem. Behavioral anomalies related to socket operations can indicate attempts to exploit this vulnerability. Additionally, monitoring for any unusual crashes or system instability can help identify potential exploitation.

AppSecure Threat Intelligence Insight

This vulnerability highlights the ongoing need for vigilance in managing kernel-level vulnerabilities. It exemplifies the importance of maintaining updated systems and the potential impact of local exploits.

Security teams should prioritize regular updates and consider implementing a vulnerability management program to mitigate risks associated with software vulnerabilities.

For further insights on kernel vulnerabilities, organizations may also find it beneficial to explore our penetration testing methodology to enhance their security posture.

Organizations should also consider adopting best practices for kernel security as outlined in our security testing best practices to further mitigate risks.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-23120: Medium Vulnerability in Linux Kernel