{"id":"CVE-2026-46098","summary":"net: caif: clear client service pointer on teardown","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: clear client service pointer on teardown\n\n`caif_connect()` can tear down an existing client after remote shutdown by\ncalling `caif_disconnect_client()` followed by `caif_free_client()`.\n`caif_free_client()` releases the service layer referenced by\n`adap_layer-\u003edn`, but leaves that pointer stale.\n\nWhen the socket is later destroyed, `caif_sock_destructor()` calls\n`caif_free_client()` again and dereferences the freed service pointer.\n\nClear the client/service links before releasing the service object so\nrepeated teardown becomes harmless.","modified":"2026-06-27T11:54:52.306286534Z","published":"2026-05-27T12:59:02.308Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46098.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7ef97d4675b05a103648bd9244d91dff7d8c08b0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cffca7a18b8f9de7c3d3013a1f5740c412b2a501"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e16859f3f4426fa349bc5519d582a93d28f5a15d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46098.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46098"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"43e3692101086add8719c3b8b50b05c9ac5b14e1"},{"fixed":"cffca7a18b8f9de7c3d3013a1f5740c412b2a501"},{"fixed":"7ef97d4675b05a103648bd9244d91dff7d8c08b0"},{"fixed":"e16859f3f4426fa349bc5519d582a93d28f5a15d"},{"fixed":"914c6456fcfc21a3d553945dff62fd1621d6155d"},{"fixed":"3ac6db584d9d420267bb8413115707eeec76d9cf"},{"fixed":"63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9"},{"fixed":"a4b191ddc12c55ddb62feb096536f819f384d6f1"},{"fixed":"f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46098.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46098.json"}}],"schema_version":"1.7.5"}