CVE-2026-46098 PUBLISHED

net: caif: clear client service pointer on teardown

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

net: caif: clear client service pointer on teardown

caif_connect() can tear down an existing client after remote shutdown by calling caif_disconnect_client() followed by caif_free_client(). caif_free_client() releases the service layer referenced by adap_layer->dn, but leaves that pointer stale.

When the socket is later destroyed, caif_sock_destructor() calls caif_free_client() again and dereferences the freed service pointer.

Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 43e3692101086add8719c3b8b50b05c9ac5b14e1 to 914c6456fcfc21a3d553945dff62fd1621d6155d (excl.)
  • affected from 43e3692101086add8719c3b8b50b05c9ac5b14e1 to 3ac6db584d9d420267bb8413115707eeec76d9cf (excl.)
  • affected from 43e3692101086add8719c3b8b50b05c9ac5b14e1 to 63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9 (excl.)
  • affected from 43e3692101086add8719c3b8b50b05c9ac5b14e1 to a4b191ddc12c55ddb62feb096536f819f384d6f1 (excl.)
  • affected from 43e3692101086add8719c3b8b50b05c9ac5b14e1 to f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 3.0 is affected
  • unaffected from 0 to 3.0 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References