Out-of-Cancel: A Vulnerability Class Rooted in Workqueue Cancellation APIs

security kernel vulnerability ★★★★★

Source: v4bel.github.io via Lobsters/security

Summary

This article introduces a new class of vulnerabilities called "Out-of-Cancel" bugs, discovered while analyzing the Linux kernel's workqueue mechanism. The core issue is that developers often treat cancel_work_sync() and related APIs as if they provide a lifetime guarantee for objects, when in reality they only stop what is currently running—objects can still be rescheduled through other paths.

Key Insights

The Pattern: Object teardown typically follows cancel_work_sync() → kfree(), but this pattern has a structural flaw—cancellation doesn't prevent the work from being queued again.
New API: The kernel recently added disable_work_sync() specifically to address this gap, indicating the severity of the issue.
Case Study: The espintcp vulnerability (CVE-2026-23239) demonstrates how this bug class manifests in the TCP/ULP layer.
Exploitation: The article shows how different execution mechanisms (interrupts, Delayed ACK, timers, workqueues, scheduler) combine into a single race condition scenario.

Why This Matters

This is not just a missing lock or forgotten check—it's a fundamental design issue in how kernel asynchronous execution is understood. The article explains the technical details of kernel synchronization and demonstrates practical exploit building.

Rating: ★★★★★ — Deep kernel security research with practical exploit details. A must-read for systems programmers and security researchers.

Discovered: 2026-03-28 | Category: Security Research