CVE-2026-46098
Published: May 27, 2026
Modified: Jun 1, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 43e3692101086add8719c3b8b50b05c9ac5b14e1 - < cffca7a18b8f9de7c3d3013a1f5740c412b2a501affected 43e3692101086add8719c3b8b50b05c9ac5b14e1 - < 7ef97d4675b05a103648bd9244d91dff7d8c08b0affected 43e3692101086add8719c3b8b50b05c9ac5b14e1 - < e16859f3f4426fa349bc5519d582a93d28f5a15daffected 43e3692101086add8719c3b8b50b05c9ac5b14e1 - < 914c6456fcfc21a3d553945dff62fd1621d6155daffected 43e3692101086add8719c3b8b50b05c9ac5b14e1 - < 3ac6db584d9d420267bb8413115707eeec76d9cf+3 more versions |
Linux | Linux | affected 3.0unaffected 0 - < 3.0unaffected 5.10.258 - <= 5.10.*unaffected 5.15.209 - <= 5.15.*unaffected 6.1.175 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now