{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52941", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.370Z", "datePublished": "2026-06-24T07:14:29.943Z", "dateUpdated": "2026-06-24T07:14:29.943Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T07:14:29.943Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint\n\nThe smc_msg_event tracepoint class, shared by smc_tx_sendmsg and\nsmc_rx_recvmsg, unconditionally dereferences smc->conn.lnk:\n\n\t__string(name, smc->conn.lnk->ibname)\n\nconn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on\nthese paths already handles this (e.g. !conn->lnk in\nSMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first\nsendmsg()/recvmsg() on an SMC-D socket crashes:\n\n Oops: general protection fault, probably for non-canonical address\n KASAN: null-ptr-deref in range [...]\n RIP: 0010:strlen+0x1e/0xa0\n Call Trace:\n trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)\n smc_rx_recvmsg (net/smc/smc_rx.c:515)\n smc_recvmsg (net/smc/af_smc.c:2859)\n __sys_recvfrom (net/socket.c:2315)\n __x64_sys_recvfrom (net/socket.c:2326)\n do_syscall_64\n\nThe faulting address 0x3e0 is offsetof(struct smc_link, ibname),\nconfirming the NULL ->lnk deref. Enabling the tracepoint requires\nroot, but the trigger itself is unprivileged: socket(AF_SMC, ...) has\nno capability check, and SMC-D negotiation needs no admin step on\ns390 or on x86 with the loopback ISM device loaded.\n\nLog an empty device name for SMC-D instead of dereferencing NULL."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/smc/smc_tracepoint.h"], "versions": [{"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84", "lessThan": "68200112534bb2acd1d7117dc2d5c124868d866d", "status": "affected", "versionType": "git"}, {"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84", "lessThan": "720c76b930c52cd58f50eb6b10569d03dccc7959", "status": "affected", "versionType": "git"}, {"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84", "lessThan": "b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef", "status": "affected", "versionType": "git"}, {"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84", "lessThan": "d2ea0b8aef8746e147602eac87ca8538f4bc7e66", "status": "affected", "versionType": "git"}, {"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84", "lessThan": "561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f", "status": "affected", "versionType": "git"}, {"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84", "lessThan": "7bf563badd37cb796df5477d2b78bb64148a1268", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/smc/smc_tracepoint.h"], "versions": [{"version": "5.16", "status": "affected"}, {"version": "0", "lessThan": "5.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.175", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.142", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.92", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.34", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.11", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.6.142"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.12.92"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.18.34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "7.0.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/68200112534bb2acd1d7117dc2d5c124868d866d"}, {"url": "https://git.kernel.org/stable/c/720c76b930c52cd58f50eb6b10569d03dccc7959"}, {"url": "https://git.kernel.org/stable/c/b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef"}, {"url": "https://git.kernel.org/stable/c/d2ea0b8aef8746e147602eac87ca8538f4bc7e66"}, {"url": "https://git.kernel.org/stable/c/561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f"}, {"url": "https://git.kernel.org/stable/c/7bf563badd37cb796df5477d2b78bb64148a1268"}], "title": "net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{}

{}