Skip to main content

Linux EUVDEUVD-2026-18700

| CVE-2026-23450 CRITICAL
Use After Free (CWE-416)
2026-04-03 Linux GHSA-m7g4-hqc4-25c8
Critical
Disputed · 9.8 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
6.4 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.8 (CRITICAL)
Patch available
Apr 16, 2026 - 05:29 EUVD
1fab5ece76fb42a761178dcd0ebcbf578377b0dd,6d5e4538364b9ceb1ac2941a4deb86650afb3538,1e4f873879e075bbd4eb1c644d6933303ac5eba4
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18700
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()

Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].

smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().

This leads to two issues:

  1. NULL pointer dereference: sk_user_data is NULL when

accessed.

  1. Use-after-free: sk_user_data is read as non-NULL, but the

smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed.

The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):

CPU A (softirq) CPU B (process ctx)

tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash!

Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.

Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.

  • Set SOCK_RCU_FREE on the SMC listen socket so that

smc_sock freeing is deferred until after the RCU grace period. This guarantees the memory is still valid when accessed inside rcu_read_lock().

  • Use rcu_read_lock() to protect reading sk_user_data.
  • Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the

smc_sock. If the refcount has already reached zero (close path completed), it returns false and we bail out safely.

Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.

Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.

[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9

AnalysisAI

NULL dereference and use-after-free in the Linux kernel's SMC (Shared Memory Communications) socket implementation occur when smc_tcp_syn_recv_sock() races with socket close operations, allowing a local attacker to trigger a kernel panic via concurrent manipulation of TCP SYN handling and SMC listen socket closure. The vulnerability affects the Linux kernel across multiple versions via the net/smc subsystem and is addressed through RCU-protected access and refcount validation rather than lock-based serialization.

Technical ContextAI

The vulnerability exists in the SMC protocol implementation (net/smc) within the Linux kernel's networking stack. SMC is a protocol that enables shared memory-based communication over TCP. The issue occurs at the intersection of TCP connection establishment (via icsk_af_ops->syn_recv_sock callback) and SMC socket lifecycle management. During TCP three-way handshake processing in softirq context, the kernel reads the sk_user_data field of a TCP listening socket (clcsock) to retrieve the associated SMC socket (smc_sock) structure. The clcsock and smc_sock maintain separate reference counts; the TCP stack holds a reference on clcsock but not on smc_sock. When a concurrent close operation (smc_close_active()) sets sk_user_data to NULL and releases smc_sock references, a race window opens where the smc_sock can be freed while still being accessed. The fix introduces RCU (Read-Copy-Update) protection via SOCK_RCU_FREE flag to defer freeing, rcu_read_lock() to guard sk_user_data reads, and refcount_inc_not_zero() to safely validate object liveness before dereferencing smc_sock fields.

RemediationAI

Apply the kernel patch that implements RCU-protected access to sk_user_data in smc_tcp_syn_recv_sock(). The fix is available in upstream Linux kernel commits including 1e4f873879e075bbd4eb1c644d6933303ac5eba4, f00fc26c8a06442b225a350fe000c0a11483e6a3, cadf3da46c15523fba90d80c9955f536ee3b4023, fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2, 1fab5ece76fb42a761178dcd0ebcbf578377b0dd, and 6d5e4538364b9ceb1ac2941a4deb86650afb3538 as referenced in the kernel.org stable branch. Upgrade to a kernel version that includes these fixes. The patch cannot be effectively backported as a standalone change due to the integration depth into SMC socket lifecycle management; full kernel update is the recommended path. As a temporary mitigation, systems not requiring SMC functionality can disable the feature by setting CONFIG_SMC=n at kernel build time, though this is not practical for production systems where SMC may already be enabled.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy