Home

Description

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516

PUBLISHED Reserved 2026-01-13 | Published 2026-04-03 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c85fe6580e86947ca07907ebf4363a73c156fda7
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 0c9fb70a206a8734e10468ecc24d57c7596cf64e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 508f49ccbe0329641bb681f7d0052bb4e5943252
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 0c3e8bff808f17ad37a51d8e719eed22c7863120
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before a12254050e3050f1011cd24f3b880a6882d0139d
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before e1f0a18c9564cdb16523c802e2c6fe5874e3d944
affected

Default status
affected

2.6.12
affected

Any version before 2.6.12
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.20 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c85fe6580e86947ca07907ebf4363a73c156fda7

git.kernel.org/...c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3

git.kernel.org/...c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7

git.kernel.org/...c/0c9fb70a206a8734e10468ecc24d57c7596cf64e

git.kernel.org/...c/508f49ccbe0329641bb681f7d0052bb4e5943252

git.kernel.org/...c/0c3e8bff808f17ad37a51d8e719eed22c7863120

git.kernel.org/...c/a12254050e3050f1011cd24f3b880a6882d0139d

git.kernel.org/...c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944

cve.org (CVE-2026-23460)

nvd.nist.gov (CVE-2026-23460)

Download JSON