CVE-2026-23460
Description
In the Linux kernel, the following vulnerability has been resolved:
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
syzkaller reported a bug [1], and the reproducer is available at [2].
ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect().
[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing state validation in Linux ROSE socket connect() allows NULL pointer dereference when a second connect is called while the first is still in progress.
Vulnerability
In the Linux kernel's ROSE protocol implementation, the rose_connect() function does not properly validate the socket state when a second connect() call is made while the first connection attempt is still in progress (TCP_SYN_SENT). Per POSIX, a second connect on a non-established socket should return -EALREADY, but the code instead proceeds to overwrite rose->neighbour via rose_get_neigh(), possibly setting it to NULL.
Exploitation
To trigger the vulnerability, an attacker must first initiate a ROSE connection (causing the socket to enter TCP_SYN_SENT state) and then call rose_connect() again before the handshake completes. If rose_get_neigh() returns NULL at that point, the socket will be left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is later closed via rose_release(), the code path rose_write_internal() → rose_transmit_link(skb, NULL) dereferences the NULL pointer, causing a kernel crash (NULL pointer dereference).
Impact
An unprivileged local user with access to AF_ROSE sockets can trigger a kernel panic, leading to a denial of service (system crash). No authentication beyond local system access is required, and no special privileges are needed for the second connect call.
Mitigation
The fix adds a check for TCP_SYN_SENT in rose_connect() to return -EALREADY, preventing the race condition and NULL pointer dereference. The patch has been backported to multiple stable kernel trees as of April 2026 [1][2][3][4]. Users should apply the latest kernel updates from their distribution.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120nvd
- git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64envd
- git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252nvd
- git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139dnvd
- git.kernel.org/stable/c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3nvd
- git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7nvd
- git.kernel.org/stable/c/c85fe6580e86947ca07907ebf4363a73c156fda7nvd
- git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944nvd
News mentions
0No linked articles in our index yet.