net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect

Summary

CVE	CVE-2026-23460
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-03 16:16:32 UTC
Updated	2026-04-07 13:21:09 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.066190000 (date 2026-04-07)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 0c9fb70a206a8734e10468ecc24d57c7596cf64e git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 508f49ccbe0329641bb681f7d0052bb4e5943252 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 0c3e8bff808f17ad37a51d8e719eed22c7863120 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 a12254050e3050f1011cd24f3b880a6882d0139d git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 e1f0a18c9564cdb16523c802e2c6fe5874e3d944 git	Not specified
CNA	Linux	Linux	affected 2.6.12	Not specified
CNA	Linux	Linux	unaffected 2.6.12 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.20 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.10 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0-rc5 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.