CVE-2026-5590

A race condition during TCP connection teardown can cause tcp recv() to operate on a connection that has already been released. If tcp conn search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp backlog is full() and dereferenced without validation, leading to a crash.