{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46098","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.097Z","datePublished":"2026-05-27T12:59:02.308Z","dateUpdated":"2026-06-14T17:54:16.006Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:54:16.006Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: clear client service pointer on teardown\n\n`caif_connect()` can tear down an existing client after remote shutdown by\ncalling `caif_disconnect_client()` followed by `caif_free_client()`.\n`caif_free_client()` releases the service layer referenced by\n`adap_layer->dn`, but leaves that pointer stale.\n\nWhen the socket is later destroyed, `caif_sock_destructor()` calls\n`caif_free_client()` again and dereferences the freed service pointer.\n\nClear the client/service links before releasing the service object so\nrepeated teardown becomes harmless."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/caif/cfsrvl.c"],"versions":[{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"cffca7a18b8f9de7c3d3013a1f5740c412b2a501","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"7ef97d4675b05a103648bd9244d91dff7d8c08b0","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"e16859f3f4426fa349bc5519d582a93d28f5a15d","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"914c6456fcfc21a3d553945dff62fd1621d6155d","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"3ac6db584d9d420267bb8413115707eeec76d9cf","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"a4b191ddc12c55ddb62feb096536f819f384d6f1","status":"affected","versionType":"git"},{"version":"43e3692101086add8719c3b8b50b05c9ac5b14e1","lessThan":"f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/caif/cfsrvl.c"],"versions":[{"version":"3.0","status":"affected"},{"version":"0","lessThan":"3.0","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.18.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/cffca7a18b8f9de7c3d3013a1f5740c412b2a501"},{"url":"https://git.kernel.org/stable/c/7ef97d4675b05a103648bd9244d91dff7d8c08b0"},{"url":"https://git.kernel.org/stable/c/e16859f3f4426fa349bc5519d582a93d28f5a15d"},{"url":"https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d"},{"url":"https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf"},{"url":"https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9"},{"url":"https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1"},{"url":"https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8"}],"title":"net: caif: clear client service pointer on teardown","x_generator":{"engine":"bippy-1.2.0"}}}}