CVE-2026-46098
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel's CAIF subsystem, a vulnerability exists where `caif_connect()` does not clear the client service pointer (`adap_layer->dn`) during teardown, leading to a use-after-free when the socket is destroyed.
Risk Assessment
An attacker could exploit this vulnerability to cause a kernel panic or potentially escalate privileges by controlling the freed memory.
Recommendation
Immediately update the Linux kernel to a version containing the fix that clears client service pointers before releasing the service object.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

