CVE-2026-46098 - Vulnerability Details

- net: caif: clear client service pointer on teardown

Description

In the Linux kernel, the following vulnerability has been resolved:

net: caif: clear client service pointer on teardown

`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.

When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.

Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s caif networking module contains a use‑after‑free flaw that triggers when a client connection is torn down after a remote shutdown. The caif_disconnect_client() and caif_free_client() functions release a service object while leaving the adap_layer->dn pointer still referencing the freed memory. Subsequent calls to caif_sock_destructor() invoke caif_free_client() again and dereference this stale pointer, causing a kernel panic (CVE-2026-46098). The flaw is classified under CWE‑416 (Use‑After‑Free) and CWE‑1341 (Improper Release of Resource).

Affected Systems

All Linux kernel builds that include the caif networking support are potentially vulnerable. No specific kernel version numbers are listed, so any kernel that incorporates the caif module may be affected until the patch that clears the client/service links before freeing the service object is applied.

Risk and Exploitability

Because the exploit requires local kernel access through caif APIs, it is a local privilege escalation or denial‑of‑service risk. An attacker with sufficient privileges can deliberately initiate a remote shutdown to trigger the dangling dereference, resulting in a kernel crash. No EPSS or KEV indicators are available, but the severity of a kernel panic warrants immediate remediation. Applying the kernel update that removes the dangling pointer mitigates the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`43e3692101086add8719c3b8b50b05c9ac5b14e1`	affected	< 914c6456fcfc21a3d553945dff62fd1621d6155d
`43e3692101086add8719c3b8b50b05c9ac5b14e1`	affected	< 3ac6db584d9d420267bb8413115707eeec76d9cf
`43e3692101086add8719c3b8b50b05c9ac5b14e1`	affected	< 63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9
`43e3692101086add8719c3b8b50b05c9ac5b14e1`	affected	< a4b191ddc12c55ddb62feb096536f819f384d6f1
`43e3692101086add8719c3b8b50b05c9ac5b14e1`	affected	< f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8

Linux

affected

Version	Status	Constraints
`3.0`	affected	—
`0`	unaffected	< 3.0
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[43e3692101086add8719c3b8b50b05c9ac5b14e1,914c6456fcfc21a3d553945dff62fd1621d6155d)`	affected	code_commit	—
`[43e3692101086add8719c3b8b50b05c9ac5b14e1,3ac6db584d9d420267bb8413115707eeec76d9cf)`	affected	code_commit	—
`[43e3692101086add8719c3b8b50b05c9ac5b14e1,63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9)`	affected	code_commit	—
`[43e3692101086add8719c3b8b50b05c9ac5b14e1,a4b191ddc12c55ddb62feb096536f819f384d6f1)`	affected	code_commit	—
`[43e3692101086add8719c3b8b50b05c9ac5b14e1,f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.0`	affected	semver	—
`[0,3.0)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel patch that clears the client/service links before freeing the service object, which eliminates the Use‑After‑Free (CWE‑416) and Improper Release of Resource (CWE‑1341) conditions.
If a kernel update is not immediately available, disable or prevent the caif module from loading in the running system to remove the vulnerable API surface until the patch can be deployed.
Continuously monitor kernel logs (e.g., via dmesg or /var/log/kern.log) for caif‑related crash messages and enforce an alert mechanism to apply the update as soon as it becomes available.

Generated by OpenCVE AI on May 28, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf
https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9
https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d
https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1
https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8
https://lore.kernel.org/linux-cve-announce/2026052704-CVE-2026-46098-ec82@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46098
https://www.cve.org/CVERecord?id=CVE-2026-46098

History

Thu, 28 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026052704-CVE-2026-46098-ec82@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46098 https://www.cve.org/CVERecord?id=CVE-2026-46098

Wed, 27 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.
Title		net: caif: clear client service pointer on teardown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9 https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1 https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:59:02.308Z

Updated: 2026-05-27T12:59:02.308Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46098

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:31.453

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46098

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46098 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T03:45:06Z

Weaknesses

CWE-1341

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object