PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23460 Linux CVE debrief

A NULL pointer dereference vulnerability exists in the Linux kernel's ROSE (Radio Amateur Packet X.25 PLP) protocol implementation. The flaw occurs in `rose_connect()` when a second connection attempt is made while a previous connection is still in progress (TCP_SYN_SENT state). Under these conditions, the function overwrites `rose->neighbour` without checking if the new neighbor lookup returns NULL, leaving the socket in an inconsistent state. When the socket is subsequently closed, `rose_release()` calls `rose_write_internal()` → `rose_transmit_link(skb, NULL)`, triggering the NULL pointer dereference. The vulnerability affects Linux kernel versions from 2.6.12 through multiple stable branches, with fixes available in kernel versions 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and later. The issue was discovered via syzkaller fuzzing. The fix adds a missing check for TCP_SYN_SENT state in `rose_connect()` to return -EALREADY when a connection is already in progress, consistent with standard connect(2) behavior.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators running kernels with ROSE protocol support enabled; amateur radio operators using AX.25/ROSE packet networking; security teams monitoring for local denial-of-service vectors in networking subsystems; kernel maintainers backporting stable fixes to long-term support branches

Technical summary

The ROSE (Radio Amateur Packet X.25 PLP) protocol implementation in the Linux kernel contains a state validation gap in `rose_connect()`. The function properly rejects connection attempts when the socket is in TCP_ESTABLISHED (-EISCONN) or TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED) states, but lacks a check for TCP_SYN_SENT. When `rose_connect()` is invoked during an ongoing connection attempt, it calls `rose_get_neigh()` to obtain a neighbor reference and assigns the result to `rose->neighbour` without NULL checking. If `rose_get_neigh()` returns NULL, the socket enters ROSE_STATE_1 with `rose->neighbour == NULL`. Upon socket closure, `rose_release()` detects ROSE_STATE_1 and invokes `rose_write_internal()` → `rose_transmit_link(skb, NULL)`, dereferencing the NULL neighbor pointer and causing a kernel crash. The vulnerability requires local access to create and manipulate ROSE sockets, with low attack complexity and no user interaction needed. The fix adds the missing TCP_SYN_SENT state check to return -EALREADY, aligning with POSIX connect(2) semantics for connection-in-progress scenarios.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
  • If immediate patching is not feasible, restrict access to ROSE protocol sockets to trusted local users
  • Monitor for kernel crashes in ROSE networking subsystem as potential exploitation indicators
  • Review systems running amateur radio packet networking software that utilizes kernel ROSE support

Evidence notes

Vulnerability description and patch details sourced from NVD record. Multiple stable kernel patches referenced in source metadata. CVSS 3.1 score 5.5 (MEDIUM) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. CWE-476 (NULL Pointer Dereference) classification from NVD. Affected version ranges derived from CPE criteria in source metadata.

Official resources

2026-04-03