CVE-2026-23460
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Linux Kernel ROSE Socket Handling

Publication date: 2026-04-03

Last updated on: 2026-05-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23460
EUVD
EUVD-2026-18720
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's net/rose module, specifically in the rose_transmit_link function. It occurs when a second connection attempt is made while the first connection is still in progress (TCP_SYN_SENT state). The rose_connect() function lacks a check for this TCP_SYN_SENT state, which can lead to the socket's neighbour pointer being set to NULL.

When the socket is later closed, the code attempts to use this NULL neighbour pointer in rose_transmit_link, causing a NULL pointer dereference. This is a type of software bug that can cause the kernel to crash or behave unexpectedly.

The fix involves adding the missing check for the TCP_SYN_SENT state in rose_connect() to prevent overwriting the neighbour pointer with NULL and to properly handle multiple connection attempts.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability when the affected code path is triggered.

Such crashes can result in denial of service (DoS) conditions, potentially disrupting normal operations on systems using the affected Linux kernel version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart