Copyright © 2012 Red Hat, Inc. All rights reserved. 2026-05-27T00:00:00 kernel: net: caif: clear client service pointer on teardown CWE-1341

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

A flaw was found in the Linux kernel's CAIF network module. When a client is torn down, the `caif_free_client()` function frees a service pointer but leaves it in a stale state. If the socket is later destroyed, `caif_free_client()` may be called again, attempting to use the previously freed pointer. This can lead to memory corruption and potentially cause a system crash, resulting in a Denial of Service (DoS).

Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-46098 https://nvd.nist.gov/vuln/detail/CVE-2026-46098 https://lore.kernel.org/linux-cve-announce/2026052704-CVE-2026-46098-ec82@gregkh/T