Critical

Linux kernel net/smc smc_tcp_syn_recv_sock() NULL dereference and use-after-free

IdentifiersCVE-2026-23450CWE-416· Use After Free

CVE-2026-23450 is a race-condition-driven memory-safety vulnerability in the Linux kernel net/smc subsystem, specifically in smc_tcp_syn_recv_sock(). The function is invoked in the TCP receive path via icsk_af_ops->syn_recv_sock on the clcsock TCP listening socket and reads clcsock->sk_user_data to obtain the associated smc_sock pointer. During concurrent closure of the SMC listen socket, smc_close_active() can clear clcsock->sk_user_data to NULL under sk_callback_lock, and the referenced smc_sock can then be freed via sock_put() in smc_release(). Because clcsock and smc_sock are separate objects with independent reference counts, a reference held by the TCP stack on clcsock does not keep smc_sock alive. As a result, smc_tcp_syn_recv_sock() may either dereference a NULL sk_user_data pointer or dereference a dangling smc_sock pointer after free when accessing fields such as queued_smc_hs or ori_af_ops. The issue was reported by syzkaller and is reachable through both the SYN cookie path tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock() and the normal tcp_check_req() path. The upstream fix protects sk_user_data access with RCU, defers freeing with SOCK_RCU_FREE, and uses refcount_inc_not_zero(&smc->sk.sk_refcnt) to safely pin smc_sock before dereference.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering causes kernel memory-safety failures in the TCP/SMC handshake path, resulting in either a NULL pointer dereference or a use-after-free. The practical impact is kernel panic / denial of service. Because the flaw involves dereferencing freed kernel objects in softirq context, memory corruption risk exists, but the provided content specifically documents crash/panic behavior rather than confirmed controlled code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or avoiding use of the SMC subsystem/listening sockets where operationally feasible, thereby removing the vulnerable code path from TCP SYN handling. More generally, limit untrusted network reachability to affected services and hosts until patched. No complete mitigation short of applying the kernel fix is provided in the content.

Remediation

Patch, then assume compromise.

Apply a Linux kernel version containing the upstream fix for CVE-2026-23450. The fix sets SOCK_RCU_FREE on the SMC listen socket, wraps sk_user_data reads in rcu_read_lock(), and uses refcount_inc_not_zero() to acquire a safe reference to smc_sock before dereferencing it. Downstream vendor kernel updates, including SUSE advisories cited in the content, also include the fix.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1261584 - (CVE-2026-23450) VUL-0: CVE-2026-23450: kernel: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()

A Linux kernel vulnerability in net/smc where a race in smc_tcp_syn_recv_sock() can cause a NULL pointer dereference or use-after-free when sk_user_data is cleared and the associated smc_sock is freed concurrently during socket close.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23450

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23450

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/1e4f873879e075bbd4eb1c644d6933303ac5eba4

Patch

git.kernel.org/stable/c/1fab5ece76fb42a761178dcd0ebcbf578377b0dd

Patch

git.kernel.org/stable/c/6d5e4538364b9ceb1ac2941a4deb86650afb3538

Patch

git.kernel.org/stable/c/cadf3da46c15523fba90d80c9955f536ee3b4023

Patch

git.kernel.org/stable/c/f00fc26c8a06442b225a350fe000c0a11483e6a3

Patch

git.kernel.org/stable/c/f315277856caeafcd996c2611afc085ca2d53275

Patch

git.kernel.org/stable/c/fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2