SB2026040685 - NULL pointer dereference in Linux kernel smc
Published: April 6, 2026
Security Bulletin ID
SB2026040685
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2026-23450)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.
The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/1e4f873879e075bbd4eb1c644d6933303ac5eba4
- https://git.kernel.org/stable/c/1fab5ece76fb42a761178dcd0ebcbf578377b0dd
- https://git.kernel.org/stable/c/6d5e4538364b9ceb1ac2941a4deb86650afb3538
- https://git.kernel.org/stable/c/cadf3da46c15523fba90d80c9955f536ee3b4023
- https://git.kernel.org/stable/c/f00fc26c8a06442b225a350fe000c0a11483e6a3
- https://git.kernel.org/stable/c/fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2