Description
In the Linux kernel, the following vulnerability has been resolved:

Revert "net/smc: Introduce TCP ULP support"

This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40.

As reported by Al Viro, the TCP ULP support for SMC is fundamentally
broken. The implementation attempts to convert an active TCP socket
into an SMC socket by modifying the underlying `struct file`, dentry,
and inode in-place, which violates core VFS invariants that assume
these structures are immutable for an open file, creating a risk of
use after free errors and general system instability.

Given the severity of this design flaw and the fact that cleaner
alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application
transparency, the correct course of action is to remove this feature
entirely.
Published: 2026-06-09
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel implemented a feature that attempted to convert an active TCP socket into an SMC socket by modifying the underlying file, dentry, and inode structures in‑place. This violates VFS invariants that treat these structures as immutable for an open file, creating a use‑after‑free condition and general system instability. An attacker that can trigger the flaw might corrupt kernel memory, leading to system instability. The impact is confined to the kernel's handling of SMC sockets and does not affect unrelated network stacks.

Affected Systems

All Linux kernel releases that contained the TCP‑ULP support for SMC before the revert commit (d7cd421da9da2cc7b4d25b8537f66db5c8331c40) were affected. Since the feature was removed in a later commit, any kernel that includes that commit in the upstream source up to the revert is impacted. No specific version numbers are supplied in the data.

Risk and Exploitability

The CVSS score of 7.0 denotes medium severity. No exploit code or proof‑of‑concept is documented, and the EPSS score is unavailable, so the exact exploitation likelihood is unknown. Based on the description, the likely attack vector is local or privileged, requiring the attacker to create or manipulate a TCP socket that the kernel will convert to an SMC socket. Because the design flaw violates core VFS invariants, a successful use‑after‑free could lead to system instability. The vulnerability is not listed in CISA KEV catalog.

Generated by OpenCVE AI on June 10, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the running kernel to a revision that contains the revert commit that removes TCP‑ULP support for SMC
  • If running an older kernel that still enables the SMC TCP‑ULP feature, disable the corresponding configuration option or rebuild the kernel without it
  • Use alternative mechanisms such as LD_PRELOAD or BPF to achieve legacy application transparency instead of the removed feature

Generated by OpenCVE AI on June 10, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an active TCP socket into an SMC socket by modifying the underlying `struct file`, dentry, and inode in-place, which violates core VFS invariants that assume these structures are immutable for an open file, creating a risk of use after free errors and general system instability. Given the severity of this design flaw and the fact that cleaner alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application transparency, the correct course of action is to remove this feature entirely.
Title Revert "net/smc: Introduce TCP ULP support"
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-09T12:25:59.413Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46330

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T14:16:42.723

Modified: 2026-06-09T14:16:42.723

Link: CVE-2026-46330

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46330 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:45:15Z

Weaknesses