Description
In the Linux kernel, the following vulnerability has been resolved:

net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint

The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and
smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk:

__string(name, smc->conn.lnk->ibname)

conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on
these paths already handles this (e.g. !conn->lnk in
SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first
sendmsg()/recvmsg() on an SMC-D socket crashes:

Oops: general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [...]
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)
smc_rx_recvmsg (net/smc/smc_rx.c:515)
smc_recvmsg (net/smc/af_smc.c:2859)
__sys_recvfrom (net/socket.c:2315)
__x64_sys_recvfrom (net/socket.c:2326)
do_syscall_64

The faulting address 0x3e0 is offsetof(struct smc_link, ibname),
confirming the NULL ->lnk deref. Enabling the tracepoint requires
root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has
no capability check, and SMC-D negotiation needs no admin step on
s390 or on x86 with the loopback ISM device loaded.

Log an empty device name for SMC-D instead of dereferencing NULL.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the smc_msg_event tracepoint unconditionally dereferences smc->conn‑D sockets. When a first sendmsg() or recvmsg() is performed on an SMC‑D socket with the tracepoint enabled, a general protection fault occurs, leading to a kernel crash. The fault results from a null‑pointer dereference.

Affected Systems

All Linux kernel installations that have not incorporated the fix to guard against NULL dereference in smc_msg_event. The vulnerability resides in the core kernel source and applies to all distributions that ship a kernel prior to the patch.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score (< 1%) reflects a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV. Enabling the tracepoint requires root privileges; however, once enabled, any local user can trigger the crash by sending messages on an SMC‑D socket. This latter scenario is inferred from the description: the trigger code is unprivileged, but depends on the tracepoint having been activated by an administrator. Consequently the practical attacker model consists of local users on a system with the tracepoint pre‑enabled, resulting in a denial of service via kernel crash.

Generated by OpenCVE AI on June 25, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that guards smc_msg_event against NULL dereferences, as introduced in commit 561cf66fa9b6c86dfe4e687d2d1aeaaa673.
  • If an upgrade is not possible, disable the smc_msg_event tracepoint to prevent the dereference from occurring.
  • Restrict the creation of AF_SMC sockets to trusted users or implement capability checks to limit unprivileged use of SMC‑D sockets, thereby reducing the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk: __string(name, smc->conn.lnk->ibname) conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on these paths already handles this (e.g. !conn->lnk in SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first sendmsg()/recvmsg() on an SMC-D socket crashes: Oops: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [...] RIP: 0010:strlen+0x1e/0xa0 Call Trace: trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44) smc_rx_recvmsg (net/smc/smc_rx.c:515) smc_recvmsg (net/smc/af_smc.c:2859) __sys_recvfrom (net/socket.c:2315) __x64_sys_recvfrom (net/socket.c:2326) do_syscall_64 The faulting address 0x3e0 is offsetof(struct smc_link, ibname), confirming the NULL ->lnk deref. Enabling the tracepoint requires root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has no capability check, and SMC-D negotiation needs no admin step on s390 or on x86 with the loopback ISM device loaded. Log an empty device name for SMC-D instead of dereferencing NULL.
Title net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:29.943Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52941

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52941 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:15:03Z

Weaknesses