5.5

CVE-2026-23460

net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect

In the Linux kernel, the following vulnerability has been resolved:

net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect

syzkaller reported a bug [1], and the reproducer is available at [2].

ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.

When rose_connect() is called a second time while the first connection
attempt is still in progress (TCP_SYN_SENT), it overwrites
rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
When the socket is subsequently closed, rose_release() sees
ROSE_STATE_1 and calls rose_write_internal() ->
rose_transmit_link(skb, NULL), causing a NULL pointer dereference.

Per connect(2), a second connect() while a connection is already in
progress should return -EALREADY. Add this missing check for
TCP_SYN_SENT to complete the state validation in rose_connect().

[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.12.1 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.167
LinuxLinux Kernel Version >= 6.2 < 6.6.130
LinuxLinux Kernel Version >= 6.7 < 6.12.78
LinuxLinux Kernel Version >= 6.13 < 6.18.20
LinuxLinux Kernel Version >= 6.19 < 6.19.10
LinuxLinux Kernel Version2.6.12 Update-
LinuxLinux Kernel Version2.6.12 Updaterc2
LinuxLinux Kernel Version2.6.12 Updaterc3
LinuxLinux Kernel Version2.6.12 Updaterc4
LinuxLinux Kernel Version2.6.12 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7
Patch
https://git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64e
Patch
https://git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252
Patch
https://git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120
Patch
https://git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139d
Patch
https://git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944
Patch
https://git.kernel.org/stable/c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3
Patch
https://git.kernel.org/stable/c/c85fe6580e86947ca07907ebf4363a73c156fda7
Patch