Skip to main content

Linux Kernel CVE-2026-46330

| EUVDEUVD-2026-35431 HIGH
Use After Free (CWE-416)
2026-06-09 Linux GHSA-fm5x-69c3-7mfj
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local unprivileged trigger via setsockopt (AV:L, PR:L); winning a VFS race against concurrent fd access raises AC to H; successful UAF yields full kernel C/I/A compromise.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:38 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 09, 2026 - 15:01 EUVD
CVE Published
Jun 09, 2026 - 12:25 cve.org
HIGH 7.8
CVE Published
Jun 09, 2026 - 12:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Revert "net/smc: Introduce TCP ULP support"

This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40.

As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an active TCP socket into an SMC socket by modifying the underlying struct file, dentry, and inode in-place, which violates core VFS invariants that assume these structures are immutable for an open file, creating a risk of use after free errors and general system instability.

Given the severity of this design flaw and the fact that cleaner alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application transparency, the correct course of action is to remove this feature entirely.

AnalysisAI

Use-after-free and VFS invariant violations in the Linux kernel SMC subsystem (5.17 through pre-6.19.4) allow local privileged users to trigger memory corruption and system instability via the TCP ULP-to-SMC conversion path. The upstream maintainers fully reverted the underlying commit d7cd421da9da rather than attempting an in-place fix, citing fundamental design flaws; no public exploit identified at time of analysis and EPSS sits at 0.02% (5th percentile).

Technical ContextAI

The flaw lives in the Shared Memory Communications (SMC) protocol implementation, specifically the TCP Upper Layer Protocol (ULP) hook introduced in commit d7cd421da9da to enable transparent SMC adoption by legacy TCP applications. The implementation attempted to mutate an active socket's backing struct file, dentry, and inode in place - a violation of core Virtual File System (VFS) invariants which treat these structures as immutable for the lifetime of an open file. Because reference-counted VFS objects can be observed concurrently by other kernel paths (e.g., /proc, fd table lookups, file_operations dispatch), rewriting them races with readers and creates classic use-after-free conditions, matching CWE-416 even though the CVE record lists CWE as N/A. Affected CPEs are cpe:2.3:a:linux:linux:* spanning kernels from 5.17 up to the fixed builds 6.19.4 and 7.0 (per EUVD).

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.19.4 or 7.0, which carry the revert of the broken TCP ULP-for-SMC support (commits https://git.kernel.org/stable/c/6c505d95c69e27dbf28fea29dc84d2498d69515c and https://git.kernel.org/stable/c/df31a6b0a3057e66994ad6ccf5d95b9b9514f033); distro consumers should track their vendor's backport (RHEL, SUSE, Ubuntu, Debian, Amazon Linux advisories tied to the corresponding stable branches). As a workaround on unpatched hosts, prevent the smc module from loading (e.g., add 'install smc /bin/true' to /etc/modprobe.d/blacklist-smc.conf and remove it from initramfs) which fully closes the attack surface but breaks any application that legitimately uses SMC-R/SMC-D - acceptable on most general-purpose servers but not on IBM Z workloads or RDMA deployments that rely on SMC. Where SMC must remain available, restrict shell and container access to trusted users and audit setsockopt(TCP_ULP, "smc") usage with auditd, recognizing this only reduces, not eliminates, exposure.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-46330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy