CVE-2026-52941
Received Received - Intake
NULL dereference in Linux kernel SMC subsystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk: __string(name, smc->conn.lnk->ibname) conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on these paths already handles this (e.g. !conn->lnk in SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first sendmsg()/recvmsg() on an SMC-D socket crashes: Oops: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [...] RIP: 0010:strlen+0x1e/0xa0 Call Trace: trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44) smc_rx_recvmsg (net/smc/smc_rx.c:515) smc_recvmsg (net/smc/af_smc.c:2859) __sys_recvfrom (net/socket.c:2315) __x64_sys_recvfrom (net/socket.c:2326) do_syscall_64 The faulting address 0x3e0 is offsetof(struct smc_link, ibname), confirming the NULL ->lnk deref. Enabling the tracepoint requires root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has no capability check, and SMC-D negotiation needs no admin step on s390 or on x86 with the loopback ISM device loaded. Log an empty device name for SMC-D instead of dereferencing NULL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52941
EUVD
EUVD-2026-38711
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMC (Shared Memory Communications) subsystem, specifically in the smc_msg_event tracepoint code. The issue is that the code unconditionally dereferences a pointer (conn->lnk) which can be NULL for certain socket types (SMC-D). When the tracepoint is enabled, the first sendmsg() or recvmsg() call on an SMC-D socket causes a kernel crash due to a NULL pointer dereference.

The problem arises because conn->lnk is only set for SMC-R sockets, but not for SMC-D sockets where it remains NULL. The tracepoint code does not check for this NULL condition before dereferencing, leading to a general protection fault and kernel crash.

The fix involves logging an empty device name for SMC-D sockets instead of dereferencing the NULL pointer.

Impact Analysis

This vulnerability can cause a kernel crash (general protection fault) when using SMC-D sockets with the smc_msg_event tracepoint enabled. This crash can disrupt system stability and availability.

Since the trigger for the vulnerability is unprivileged (any user can create an AF_SMC socket without special capabilities), an unprivileged user could potentially cause a denial of service by crashing the kernel.

Detection Guidance

This vulnerability involves a NULL pointer dereference in the smc_msg_event tracepoint when using SMC-D sockets. Detection requires checking if the tracepoint is enabled and monitoring for crashes or kernel oops related to smc_msg_event.

Since enabling the tracepoint requires root privileges, you can check if the tracepoint is active by examining the tracepoints available in the kernel debugfs, for example:

  • cat /sys/kernel/debug/tracing/available_events | grep smc_msg_event

To detect if the vulnerability is triggered, monitor kernel logs for messages like 'Oops: general protection fault' or 'KASAN: null-ptr-deref' related to smc_msg_event.

Additionally, you can attempt to create an SMC-D socket (which does not require admin privileges) and observe if the system crashes or logs errors:

  • Use a small C program or command line tool to create a socket with AF_SMC and perform sendmsg()/recvmsg() calls.
Mitigation Strategies

The vulnerability is fixed by logging an empty device name for SMC-D sockets instead of dereferencing a NULL pointer. Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider disabling the smc_msg_event tracepoint to prevent triggering the NULL dereference.
  • Restrict unprivileged users from creating SMC-D sockets if feasible, to reduce the risk of triggering the vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart