In the Linux kernel, the following vulnerability has been resolved:
net: caif: clear client service pointer on teardown
`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.
When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.
Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.
net: caif: clear client service pointer on teardown
`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.
When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.
Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.
Advisories
| Source | ID | Title |
|---|---|---|
Debian DLA |
DLA-4664-1 | linux security update |
Debian DLA |
DLA-4665-1 | linux security update |
Debian DLA |
DLA-4671-1 | linux-6.1 security update |
Ubuntu USN |
USN-8488-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8489-1 | Linux kernel (OEM) vulnerabilities |
Ubuntu USN |
USN-8488-2 | Linux kernel (Raspberry Pi) vulnerabilities |
Ubuntu USN |
USN-8507-1 | Linux kernel (NVIDIA) vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 01 Jun 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Thu, 28 May 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-416 |
Thu, 28 May 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-1341 | |
| References |
|
Wed, 27 May 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-416 |
Wed, 27 May 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless. | |
| Title | net: caif: clear client service pointer on teardown | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-14T17:54:16.006Z
Reserved: 2026-05-13T15:03:33.097Z
Link: CVE-2026-46098
No data.
Status : Awaiting Analysis
Published: 2026-05-27T14:17:31.453
Modified: 2026-06-17T10:53:03.780
Link: CVE-2026-46098
OpenCVE Enrichment
Updated: 2026-05-28T05:45:05Z
Weaknesses
Debian DLA
Ubuntu USN