CVE-2026-46027
Description
In the Linux kernel, the following vulnerability has been resolved:
net/smc: avoid early lgr access in smc_clc_wait_msg
A CLC decline can be received while the handshake is still in an early stage, before the connection has been associated with a link group.
The decline handling in smc_clc_wait_msg() updates link-group level sync state for first-contact declines, but that state only exists after link group setup has completed. Guard the link-group update accordingly and keep the per-socket peer diagnosis handling unchanged.
This preserves the existing sync_err handling for established link-group contexts and avoids touching link-group state before it is available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's SMC, a CLC decline during early handshake can cause premature link group access, leading to potential memory corruption.
Vulnerability
In the Linux kernel's net/smc subsystem, the function smc_clc_wait_msg() can be triggered to access link group (lgr) state before it is properly initialized. This occurs when a CLC decline message is received during the early stage of the handshake, before the connection has been associated with a link group. The decline handling attempts to update link-group-level synchronization state (sync_err) but this state only exists after link group setup completion. The vulnerability affects all kernel versions with SMC support prior to commit 83bcf9228b0501694fb2589ed1d142855a2887f2.
Exploitation
An attacker able to send a crafted CLC decline message over the network during the initial SMC handshake can trigger this race condition. No authentication is required, and the attacker only needs network access to intercept or preempt the handshake sequence. The exploit involves sending the decline message early, before the link group is fully established, causing the kernel to access uninitialized memory.
Impact
Successful exploitation may result in undefined behavior, including kernel memory corruption, denial of service (system crash), or potential information disclosure. The exact impact depends on the memory state; the patch specifically guards against early access to link group state, preventing these scenarios.
Mitigation
The vulnerability is fixed in Linux kernel commit 83bcf9228b0501694fb2589ed1d142855a2887f2 [1]. Users should apply the patch by updating to a kernel version that includes this commit. No workaround is available other than applying the fix.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
105a8db80f721dnet/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index c38fc7bf0a7efb..014d527d5462db 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
6180a296ca65net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index b3a8053d4ab4b1..c2b2b76a8f6274 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -785,8 +785,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
ea0b5d0fe963net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index 87c87edadde719..9772b466c72a47 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
83bcf9228b05net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index c38fc7bf0a7efb..014d527d5462db 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
f0858e1d5624net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index 2f748226f14335..1bf6cd010f04aa 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -784,8 +784,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
ea0b5d0fe963net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index 87c87edadde719..9772b466c72a47 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
5a8db80f721dnet/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index c38fc7bf0a7efb..014d527d5462db 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
f0858e1d5624net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index 2f748226f14335..1bf6cd010f04aa 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -784,8 +784,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
6180a296ca65net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index b3a8053d4ab4b1..c2b2b76a8f6274 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -785,8 +785,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
83bcf9228b05net/smc: avoid early lgr access in smc_clc_wait_msg
1 file changed · +2 −3
net/smc/smc_clc.c+2 −3 modifieddiff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index c38fc7bf0a7efb..014d527d5462db 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, dclc = (struct smc_clc_msg_decline *)clcm; reason_code = SMC_CLC_DECL_PEERDECL; smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); - if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & - SMC_FIRST_CONTACT_MASK) { + if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && + smc->conn.lgr) { smc->conn.lgr->sync_err = 1; smc_lgr_terminate_sched(smc->conn.lgr); } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL-pointer check on `smc->conn.lgr` before dereferencing it in CLC decline handling when the link group has not yet been initialized."
Attack vector
An attacker on the network can send a crafted CLC decline message with the `SMC_FIRST_CONTACT_MASK` flag set to a peer that is still in the early handshake stage, before the link group (`lgr`) pointer has been initialized. When `smc_clc_wait_msg()` processes this decline, it dereferences the NULL or uninitialized `smc->conn.lgr` pointer, causing a NULL-pointer dereference or use of uninitialized memory [patch_id=2660316]. The attacker only needs network access to trigger the SMC handshake and send the malicious CLC decline message.
Affected code
The vulnerability is in `net/smc/smc_clc.c` in the function `smc_clc_wait_msg()`. The code path handling a CLC decline message (type `SMC_CLC_DECL_PEERDECL`) unconditionally dereferences `smc->conn.lgr` to set `sync_err` and call `smc_lgr_terminate_sched()` when the `SMC_FIRST_CONTACT_MASK` flag is set [patch_id=2660316].
What the fix does
The patch adds a `smc->conn.lgr` NULL check before accessing link-group state. The condition changes from checking only `SMC_FIRST_CONTACT_MASK` to checking both `SMC_FIRST_CONTACT_MASK` and that `smc->conn.lgr` is non-NULL [patch_id=2660316]. This ensures the `sync_err` flag and `smc_lgr_terminate_sched()` call are only executed when a link group has actually been established, while the per-socket `peer_diagnosis` field is still set unconditionally as before.
Preconditions
- networkThe attacker must be able to initiate an SMC handshake with the target and send a CLC decline message before the link group setup completes.
- configThe target must have the SMC protocol enabled in the kernel.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/5a8db80f721deee8e916c2cfdee78decda02ce4fnvd
- git.kernel.org/stable/c/6180a296ca65b08a81914805cbc0f78da5f10a1fnvd
- git.kernel.org/stable/c/83bcf9228b0501694fb2589ed1d142855a2887f2nvd
- git.kernel.org/stable/c/ea0b5d0fe96356dce38f98375a57c52a04e13712nvd
- git.kernel.org/stable/c/f0858e1d5624bb120b198f2a8528f97a9b0ae069nvd
News mentions
0No linked articles in our index yet.