Skip to main content

Linux CVE-2026-23460

| EUVDEUVD-2026-18720 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-03 Linux GHSA-cx6c-45wp-f5pr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
508f49ccbe0329641bb681f7d0052bb4e5943252,0c9fb70a206a8734e10468ecc24d57c7596cf64e,0c3e8bff808f17ad37a51d8e719eed22c7863120
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18720
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect

syzkaller reported a bug [1], and the reproducer is available at [2].

ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.

When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state ROSE_STATE_1 but rose->neighbour NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference.

Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect().

[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516

AnalysisAI

NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.

Technical ContextAI

The ROSE (Radio Operating Service over Ethernet) protocol in the Linux kernel uses four socket states: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. The vulnerability resides in the rose_connect() function (net/rose/af_rose.c), which manages socket connection state transitions. When a second connect() call arrives while TCP_SYN_SENT is active, the function invokes rose_get_neigh() to obtain a neighbor reference, potentially overwriting the existing rose->neighbour pointer. If rose_get_neigh() returns NULL (e.g., due to network conditions or resource exhaustion), the socket remains in ROSE_STATE_1 with a NULL neighbour pointer-an invalid state combination. Subsequently, socket closure triggers rose_release() → rose_write_internal() → rose_transmit_link(skb, NULL), dereferencing the NULL pointer in kernel space. The root cause is insufficient input validation in the state machine; the function validates TCP_ESTABLISHED and TCP_CLOSE with SS_CONNECTING but omits TCP_SYN_SENT validation required by POSIX connect(2) semantics (which mandate -EALREADY return for in-progress connections).

RemediationAI

Apply upstream kernel patch commits via kernel update to a patched stable branch (6.1, 6.6, 6.10, 6.11 or newer). The fix is a simple state validation addition in rose_connect() that returns -EALREADY when TCP_SYN_SENT is detected, preventing state overwrite. Linux distributions should backport the fix from upstream commits or apply patches directly. Users unable to update immediately should disable the ROSE kernel module if not required: run rmmod rose (if loaded) or add 'install rose /bin/true' to /etc/modprobe.d/ to blacklist the module. Verify patch application via kernel version check (uname -r) and confirmation that the ROSE module is disabled or updated. Patch references are available at https://git.kernel.org/stable/c/ with the commit hashes listed above.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
SUSE Linux Micro 6.2 Fixed

Share

CVE-2026-23460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy