CVE Catalog

CVE-2026-46098

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel's CAIF subsystem, a vulnerability exists where `caif_connect()` does not clear the client service pointer (`adap_layer->dn`) during teardown, leading to a use-after-free when the socket is destroyed.

Risk Assessment

An attacker could exploit this vulnerability to cause a kernel panic or potentially escalate privileges by controlling the freed memory.

Recommendation

Immediately update the Linux kernel to a version containing the fix that clears client service pointers before releasing the service object.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS