CVE-2026-46027 - Vulnerability Details

- net/smc: avoid early lgr access in smc_clc_wait_msg

Description

In the Linux kernel, the following vulnerability has been resolved:

net/smc: avoid early lgr access in smc_clc_wait_msg

A CLC decline can be received while the handshake is still in an early
stage, before the connection has been associated with a link group.

The decline handling in smc_clc_wait_msg() updates link-group level sync
state for first-contact declines, but that state only exists after link
group setup has completed. Guard the link-group update accordingly and
keep the per-socket peer diagnosis handling unchanged.

This preserves the existing sync_err handling for established link-group
contexts and avoids touching link-group state before it is available.

Published: 2026-05-27

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is located in the Linux kernel’s net/smc subsystem. When a Client Link Control (CLC) decline is received before the link group setup completes, smc_clc_wait_msg() attempts to update link‑group synchronization state that has not yet been initialized. This premature access can lead to undefined behavior. Based on the description, it is inferred that the erroneous state update could trigger kernel instability or a crash, effectively causing a denial‑of‑service condition for services that rely on the SMC interface.

Affected Systems

All Linux kernel releases that include the net/smc subsystem and have not incorporated the commit that added a guard around link‑group updates are potentially vulnerable. This applies to every distribution that ships the unpatched kernel code, regardless of version number, because the flaw resides in the core kernel source.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. The EPSS score of <1% reflects a very low probability of exploitation. The CVE is not listed in the CISA KEV catalog. The vulnerability is reachable only via the SMC network interface, meaning an attacker would need to generate or influence SMC traffic to invoke the bug. This specialized attack surface results in a moderate overall risk, with a low likelihood of successful exploitation in most environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< 257cdf0c5ced9c0fba8aba501d94b0a5fcef2086
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< 22546729b96fc873b23065dc49e3d73c45cfb874
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< 5eedbfd82c2884e0010fdfb3c9446a6ebcadb691
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< f0858e1d5624bb120b198f2a8528f97a9b0ae069
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< 6180a296ca65b08a81914805cbc0f78da5f10a1f
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< ea0b5d0fe96356dce38f98375a57c52a04e13712
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< 83bcf9228b0501694fb2589ed1d142855a2887f2
`0cfdd8f92cac01afbb12e4500514036a2b78756b`	affected	< 5a8db80f721deee8e916c2cfdee78decda02ce4f

Linux

affected

Version	Status	Constraints
`4.11`	affected	—
`0`	unaffected	< 4.11
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0cfdd8f92cac01afbb12e4500514036a2b78756b,f0858e1d5624bb120b198f2a8528f97a9b0ae069)`	affected	code_commit	—
`[0cfdd8f92cac01afbb12e4500514036a2b78756b,6180a296ca65b08a81914805cbc0f78da5f10a1f)`	affected	code_commit	—
`[0cfdd8f92cac01afbb12e4500514036a2b78756b,ea0b5d0fe96356dce38f98375a57c52a04e13712)`	affected	code_commit	—
`[0cfdd8f92cac01afbb12e4500514036a2b78756b,83bcf9228b0501694fb2589ed1d142855a2887f2)`	affected	code_commit	—
`[0cfdd8f92cac01afbb12e4500514036a2b78756b,5a8db80f721deee8e916c2cfdee78decda02ce4f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.11`	affected	generic	—
`[0,4.11)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that adds a guard before updating link‑group state in smc_clc_wait_msg().
If an immediate kernel upgrade is infeasible, disable or restrict the SMC network service to prevent processing of SMC traffic.
After remediation, monitor system logs for abnormal link‑group synchronization events or kernel panics to confirm successful mitigation.

Generated by OpenCVE AI on May 30, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00508.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/22546729b96fc873b23065dc49e3d73c45cfb874
https://git.kernel.org/stable/c/257cdf0c5ced9c0fba8aba501d94b0a5fcef2086
https://git.kernel.org/stable/c/5a8db80f721deee8e916c2cfdee78decda02ce4f
https://git.kernel.org/stable/c/5eedbfd82c2884e0010fdfb3c9446a6ebcadb691
https://git.kernel.org/stable/c/6180a296ca65b08a81914805cbc0f78da5f10a1f
https://git.kernel.org/stable/c/83bcf9228b0501694fb2589ed1d142855a2887f2
https://git.kernel.org/stable/c/ea0b5d0fe96356dce38f98375a57c52a04e13712
https://git.kernel.org/stable/c/f0858e1d5624bb120b198f2a8528f97a9b0ae069
https://lore.kernel.org/linux-cve-announce/2026052748-CVE-2026-46027-91a3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46027
https://www.cve.org/CVERecord?id=CVE-2026-46027

History

Tue, 16 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/22546729b96fc873b23065dc49e3d73c45cfb874 https://git.kernel.org/stable/c/257cdf0c5ced9c0fba8aba501d94b0a5fcef2086 https://git.kernel.org/stable/c/5eedbfd82c2884e0010fdfb3c9446a6ebcadb691

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 28 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-254

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
References		https://lore.kernel.org/linux-cve-announce/2026052748-CVE-2026-46027-91a3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46027 https://www.cve.org/CVERecord?id=CVE-2026-46027
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-254

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid early lgr access in smc_clc_wait_msg A CLC decline can be received while the handshake is still in an early stage, before the connection has been associated with a link group. The decline handling in smc_clc_wait_msg() updates link-group level sync state for first-contact declines, but that state only exists after link group setup has completed. Guard the link-group update accordingly and keep the per-socket peer diagnosis handling unchanged. This preserves the existing sync_err handling for established link-group contexts and avoids touching link-group state before it is available.
Title		net/smc: avoid early lgr access in smc_clc_wait_msg
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5a8db80f721deee8e916c2cfdee78decda02ce4f https://git.kernel.org/stable/c/6180a296ca65b08a81914805cbc0f78da5f10a1f https://git.kernel.org/stable/c/83bcf9228b0501694fb2589ed1d142855a2887f2 https://git.kernel.org/stable/c/ea0b5d0fe96356dce38f98375a57c52a04e13712 https://git.kernel.org/stable/c/f0858e1d5624bb120b198f2a8528f97a9b0ae069

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:35.628Z

Updated: 2026-06-14T17:48:56.975Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46027

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:21.303

Modified: 2026-06-16T15:54:28.967

Link: CVE-2026-46027

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46027 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T14:00:07Z

Weaknesses

CWE-366
Race Condition within a Thread
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object