Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AC:H because exploitation requires a non-default, root-established precondition (tracepoint enabled) outside the low-privileged attacker's control; PR:L reflects that the crash trigger itself is unprivileged once the tracepoint is active.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk:
__string(name, smc->conn.lnk->ibname)
conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on these paths already handles this (e.g. !conn->lnk in SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first sendmsg()/recvmsg() on an SMC-D socket crashes:
Oops: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [...] RIP: 0010:strlen+0x1e/0xa0 Call Trace: trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44) smc_rx_recvmsg (net/smc/smc_rx.c:515) smc_recvmsg (net/smc/af_smc.c:2859) __sys_recvfrom (net/socket.c:2315) __x64_sys_recvfrom (net/socket.c:2326) do_syscall_64
The faulting address 0x3e0 is offsetof(struct smc_link, ibname), confirming the NULL ->lnk deref. Enabling the tracepoint requires root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has no capability check, and SMC-D negotiation needs no admin step on s390 or on x86 with the loopback ISM device loaded.
Log an empty device name for SMC-D instead of dereferencing NULL.
AnalysisAI
NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two conditions must both be true: first, the smc_msg_event tracepoint (backing smc_tx_sendmsg or smc_rx_recvmsg) must be explicitly enabled, which requires root access to the kernel tracing subsystem (typically via /sys/kernel/tracing/events/smc/); second, the system must support the SMC-D transport path - available natively on s390 or on x86 only when the ISM loopback device (ism.ko) is loaded. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS scores this 5.5 (Medium) at AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A kernel developer or site-reliability engineer enables the smc_rx_recvmsg tracepoint on an x86 production server running the loopback ISM module for SMC-D workload debugging. A local unprivileged user or competing container workload then opens an AF_SMC socket; the SMC handshake selects the SMC-D path, and the first recvmsg() call hits the tracepoint, which dereferences the NULL conn->lnk field while formatting the device name - crashing the kernel and taking down all workloads on the host. … |
| Remediation | Upgrade to a patched kernel release: 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, or 7.1, applying the corresponding stable-tree fix commit for your branch (see references above). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38711
GHSA-x48q-47qq-gv8g