CVE-2026-23460

MEDIUM EPSS 2.4%
Published Apr 3, 20262mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 3, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 16

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c85fe6580e86947ca07907ebf4363a73c156fda7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c85fe6580e86947ca07907ebf4363a73c156fda7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944
    Patch