CVE-2026-52941

Source
https://cve.org/CVERecord?id=CVE-2026-52941
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52941.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52941
Downstream
Published
2026-06-24T07:14:29.943Z
Modified
2026-07-10T03:53:50.248903202Z
Summary
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
Details

In the Linux kernel, the following vulnerability has been resolved:

net/smc: avoid NULL deref of conn->lnk in smcmsgevent tracepoint

The smcmsgevent tracepoint class, shared by smctxsendmsg and smcrxrecvmsg, unconditionally dereferences smc->conn.lnk:

__string(name, smc->conn.lnk->ibname)

conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on these paths already handles this (e.g. !conn->lnk in SMCSTATRMBTXSIZE_SMALL()). With the tracepoint enabled, the first sendmsg()/recvmsg() on an SMC-D socket crashes:

Oops: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [...] RIP: 0010:strlen+0x1e/0xa0 Call Trace: traceeventraweventsmcmsgevent (net/smc/smctracepoint.h:44) smcrxrecvmsg (net/smc/smcrx.c:515) smcrecvmsg (net/smc/afsmc.c:2859) __sys_recvfrom (net/socket.c:2315) __x64sysrecvfrom (net/socket.c:2326) dosyscall64

The faulting address 0x3e0 is offsetof(struct smclink, ibname), confirming the NULL ->lnk deref. Enabling the tracepoint requires root, but the trigger itself is unprivileged: socket(AFSMC, ...) has no capability check, and SMC-D negotiation needs no admin step on s390 or on x86 with the loopback ISM device loaded.

Log an empty device name for SMC-D instead of dereferencing NULL.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52941.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84
Fixed
68200112534bb2acd1d7117dc2d5c124868d866d
Fixed
720c76b930c52cd58f50eb6b10569d03dccc7959
Fixed
b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef
Fixed
d2ea0b8aef8746e147602eac87ca8538f4bc7e66
Fixed
561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f
Fixed
7bf563badd37cb796df5477d2b78bb64148a1268

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52941.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.142
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.92
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.34
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52941.json"