CVE-2026-23450

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw in the net/smc module within the smc tcp syn recv sock() function. This issue involves a potential NULL pointer dereference and a use-after-free condition. Specifically, when the SMC listen socket is being closed, the sk user data pointer can be set to NULL while the associated smc sock structure might still be in use. This race condition can occur during the TCP receive path (softirq) and can lead to a system panic. The vulnerability arises because the TCP stack holds a reference to the clcsock, but this does not prevent the smc sock from being freed. The fix involves using RCU and refcount inc not zero() to safely access the smc sock pointer, setting SOCK RCU FREE on the SMC listen socket, and using rcu read lock() to protect reading sk user data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.