Skip to main content

Linux Kernel EUVDEUVD-2026-32408

| CVE-2026-46027 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6hp6-98mx-37xj
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:37 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/smc: avoid early lgr access in smc_clc_wait_msg

A CLC decline can be received while the handshake is still in an early stage, before the connection has been associated with a link group.

The decline handling in smc_clc_wait_msg() updates link-group level sync state for first-contact declines, but that state only exists after link group setup has completed. Guard the link-group update accordingly and keep the per-socket peer diagnosis handling unchanged.

This preserves the existing sync_err handling for established link-group contexts and avoids touching link-group state before it is available.

AnalysisAI

Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.

Technical ContextAI

SMC (Shared Memory Communications, RFC 7609) is a Linux kernel protocol that accelerates TCP-style sockets over RDMA-capable hardware (SMC-R) or IBM s390 Internal Shared Memory (SMC-D). Connections begin with a CLC (Connection Layer Control) handshake; if the peer cannot complete it, it sends a CLC decline. The bug lives in net/smc/smc_clc.c::smc_clc_wait_msg(), where decline handling updates link-group-level sync_err state for first-contact declines. Because link groups are created only after handshake completion, processing a decline that arrives early dereferences or mutates link-group state that has not yet been allocated/associated, leading to a kernel-side fault. The fix guards the link-group update so only per-socket peer diagnosis runs in the pre-link-group window, preserving sync_err semantics for established link groups.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or any distribution kernel that backports the smc_clc_wait_msg guard from the commits above). Distribution users should track their vendor's security advisories (RHEL, SUSE, Ubuntu, Debian, Amazon Linux) for backported builds, since stable-tree commits are the upstream source of truth. If immediate patching is not possible, the most effective compensating control is to disable SMC where it is not required by unloading the smc module (rmmod smc smc_diag) and blacklisting it via /etc/modprobe.d/, which eliminates the attack surface entirely at the cost of losing SMC-R/SMC-D acceleration; on s390 mainframes this trade-off may be unacceptable. Where SMC must remain enabled, restrict reachability of SMC-capable hosts at the network layer (host firewall, RDMA fabric segmentation) so only trusted peers can initiate handshakes, accepting that this does not protect against a compromised peer.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy