CVE-2026-23460
Description
In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.170-1 |
| debian | forky | fixed | 6.19.10-1 |
| debian | sid | fixed | 6.19.10-1 |
| debian | trixie | fixed | 6.12.85-1 |
| debian | bullseye | fixed | 6.1.170-1~deb11u1 |
| linux-kernel | affected | 5.10.253 | |
| linux-kernel | 2.6.12 | affected | |
| linux-kernel | 7.0 | affected | |
References
- https://git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120
- https://git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64e
- https://git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252
- https://git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139d
- https://git.kernel.org/stable/c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3
- https://git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7
- https://git.kernel.org/stable/c/c85fe6580e86947ca07907ebf4363a73c156fda7
- https://git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944
- https://www.suse.com/security/cve/CVE-2026-23460.html
- https://security-tracker.debian.org/tracker/CVE-2026-23460
CWEs
CWE-476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.