Skip to main content

Linux Kernel CVE-2026-46098

| EUVDEUVD-2026-32481 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vfvp-r4j5-4q92
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privilege suffices to open CAIF sockets; no confidentiality or integrity impact - only a kernel crash results.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:37 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: caif: clear client service pointer on teardown

caif_connect() can tear down an existing client after remote shutdown by calling caif_disconnect_client() followed by caif_free_client(). caif_free_client() releases the service layer referenced by adap_layer->dn, but leaves that pointer stale.

When the socket is later destroyed, caif_sock_destructor() calls caif_free_client() again and dereferences the freed service pointer.

Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

AnalysisAI

Use-after-free in the Linux kernel CAIF networking subsystem allows a local low-privileged user to crash the kernel via a double invocation of caif_free_client(). The CAIF socket layer in caif_connect() can tear down a client on remote shutdown, freeing the service object via adap_layer->dn but leaving that pointer stale; when the socket is later destroyed, caif_sock_destructor() dereferences the already-freed pointer, triggering a NULL pointer dereference (CWE-476) and kernel oops. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches.

Technical ContextAI

CAIF (Common Air Interface over Fibre) is a Linux kernel networking protocol primarily used for modem and radio communication stacks in embedded and mobile environments. The flaw is in net/caif/caif_socket.c. CWE-476 (NULL Pointer Dereference) stems from a classic use-after-free: caif_connect() calls caif_disconnect_client() then caif_free_client(), which releases the service layer object pointed to by adap_layer->dn but does not null that pointer. On subsequent socket teardown, caif_sock_destructor() calls caif_free_client() a second time and dereferences the freed, now-invalid service pointer. The fix nulls out the stale pointer immediately before releasing the service object, making repeated teardown idempotent. Affected CPE is cpe:2.3:o:linux:linux_kernel:* across multiple stable branches, with the vulnerability introduced at commit 43e3692101086add8719c3b8b50b05c9ac5b14e1.

RemediationAI

Upgrade to a patched Linux kernel stable release: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or a build incorporating 7.1-rc1 fixes. Individual fix commits are available at https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf, https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9, https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d, https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1, https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8, and three additional commits in the same set. As an interim workaround on systems that do not require CAIF networking, blacklist the module by adding 'blacklist caif' to /etc/modprobe.d/caif-blacklist.conf and running 'modprobe -r caif'; this prevents AF_CAIF socket creation entirely with no functional impact on general-purpose systems. This workaround is low-risk since CAIF is used almost exclusively in embedded modem stacks.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy