SB2026040684 - Use-after-free in Linux kernel smc
Published: April 6, 2026
Security Bulletin ID
SB2026040684
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2026-23450)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.
The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/1e4f873879e075bbd4eb1c644d6933303ac5eba4
- https://git.kernel.org/stable/c/1fab5ece76fb42a761178dcd0ebcbf578377b0dd
- https://git.kernel.org/stable/c/6d5e4538364b9ceb1ac2941a4deb86650afb3538
- https://git.kernel.org/stable/c/cadf3da46c15523fba90d80c9955f536ee3b4023
- https://git.kernel.org/stable/c/f00fc26c8a06442b225a350fe000c0a11483e6a3
- https://git.kernel.org/stable/c/fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2