CVE-2026-23450 [Critical] | Use-After-Free in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release(). This leads to two issues: 1) NULL pointer dereference: sk_user_data is NULL when accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed. The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race): CPU A (softirq) CPU B (process ctx) tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash! Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed. Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight. - Set SOCK_RCU_FREE on the SMC listen socket so that smc_sock freeing is deferred until after the RCU grace period. This guarantees the memory is still valid when accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the smc_sock. If the refcount has already reached zero (close path completed), it returns false and we bail out safely. Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected. Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied. [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-28	0.02%	0.07%	+0.05%
2	2026-04-04	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-28

0.02%

0.07%

+0.05%

2026-04-04

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

416baaa9-dc9f-4396-8d5f-8c081fb06d67

OS Trackers for CVE-2026-23450

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-23450 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2026-23450
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-23450
`suse`	high	CVE-2026-23450 severity important: SUSE including 18 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 92 product×package rows across 19 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise Live Patching 12 SP5, … (19 product lines)): Known Not Affected 92.	https://www.suse.com/security/cve/CVE-2026-23450/
`ubuntu`	medium	CVE-2026-23450 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1413 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1018, ignored 169, needed 87, released 83, not-affected 56.	https://ubuntu.com/security/CVE-2026-23450

Affected software / configurations for CVE-2026-23450

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.15.174, < 5.15.203	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.18, < 6.1.167	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.130	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.78	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.20	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.10	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

References for CVE-2026-23450

URL	Tags
https://git.kernel.org/stable/c/1e4f873879e075bbd4eb1c644d6933303ac5eba4	Patch
https://git.kernel.org/stable/c/1fab5ece76fb42a761178dcd0ebcbf578377b0dd	Patch
https://git.kernel.org/stable/c/6d5e4538364b9ceb1ac2941a4deb86650afb3538	Patch
https://git.kernel.org/stable/c/cadf3da46c15523fba90d80c9955f536ee3b4023	Patch
https://git.kernel.org/stable/c/f00fc26c8a06442b225a350fe000c0a11483e6a3	Patch
https://git.kernel.org/stable/c/f315277856caeafcd996c2611afc085ca2d53275	Patch
https://git.kernel.org/stable/c/fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2	Patch

URL

CVE-2026-23450 | net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()

Exploit prediction scoring system (EPSS) score for CVE-2026-23450

Common vulnerability scoring system (CVSS) metrics for CVE-2026-23450

Weakness enumeration for CVE-2026-23450

GitHub Security Advisory for CVE-2026-23450

OS Trackers for CVE-2026-23450

Affected software / configurations for CVE-2026-23450

References for CVE-2026-23450