PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23450 Linux CVE debrief

CVE-2026-23450 is a critical Linux kernel vulnerability in the SMC/TCP receive path. A race in smc_tcp_syn_recv_sock() can read a stale or cleared sk_user_data pointer while a concurrent close path frees the underlying smc_sock, leading to either a NULL pointer dereference or a use-after-free. The issue is network-facing, requires no privileges or user interaction, and affects multiple stable kernel release lines until the published fixes.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-21
Advisory published
2026-04-03
Advisory updated
2026-05-21

Who should care

Linux kernel operators, especially teams running systems with SMC enabled or kernel builds that include the affected TCP/SMC networking code. This is most relevant for internet-facing servers and infrastructure that accept TCP connections at scale.

Technical summary

smc_tcp_syn_recv_sock() runs in the TCP handshake path and reads clcsock->sk_user_data to locate the associated smc_sock. If the SMC listen socket is being closed concurrently, smc_close_active() can clear sk_user_data under sk_callback_lock and the smc_sock can then be freed via sock_put(). Because the handshake path does not hold that lock, the code can observe sk_user_data as NULL or as a dangling pointer. Dereferencing smc->fields after that point can crash the kernel. The described fix uses RCU read-side protection, sets SOCK_RCU_FREE on the SMC listen socket, and uses refcount_inc_not_zero() to safely pin the smc_sock before accessing it.

Defensive priority

Immediate. NVD rates this CRITICAL (CVSS 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the flaw is reachable during normal TCP connection handling. Patch or upgrade affected kernels as soon as practical.

Recommended defensive actions

  • Upgrade to a kernel release that includes the published fix for your branch.
  • If you maintain custom kernels, backport the official Linux stable patches referenced by NVD.
  • Prioritize remediation on exposed servers and high-connection-rate systems because the vulnerable path is in TCP handshake processing.
  • Inventory whether SMC is enabled or used in your environment, but do not treat lack of explicit SMC use as proof of safety until kernels are updated.
  • Validate remediation by confirming the affected version ranges are no longer in use: 5.15.174 through before 5.15.203, 5.18 through before 6.1.167, 6.2 through before 6.6.130, 6.7 through before 6.12.78, 6.13 through قبل

Evidence notes

This debrief is based on the CVE description, NVD analysis, and the official kernel patch references listed in the supplied corpus. The corpus states the race occurs in smc_tcp_syn_recv_sock() when sk_user_data can become NULL or stale while the associated smc_sock is concurrently freed. NVD lists CWE-416 and a network-facing CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Affected version ranges are taken from the supplied NVD CPE criteria and fixed branches are referenced by the kernel stable patch links.

Official resources

CVE published 2026-04-03T16:16:31.243Z and last modified 2026-05-21T00:32:34.480Z. The timeline fields in the supplied corpus are used for date context.