Out-of-Cancel: A Vulnerability Class Rooted in Workqueue Cancellation APIs

This article uses the espintcp vulnerability (CVE-2026-23239) as a case study to look at the structure in which the Out-of-Cancel bug class shows up, and to walk through how combining complex kernel interleavings makes the bug actually exploitable.