KernelScan.io

HIGH

caif Client UAF

CVE-2026-46098

CVSS 7.7 / 10.0 KernelScan AI

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

01Description

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with low privileges can trigger a use-after-free vulnerability in the CAIF networking subsystem by causing double teardown of client connections. This can lead to kernel memory corruption, privilege escalation, or system crashes on devices using CAIF protocol stacks.

Affectednet/caif/cfsrvl.c (CAIF service layer)

Vulnerability analysis

The vulnerability occurs in the CAIF (Communication CPU to Application CPU Interface) networking subsystem's client teardown logic. When caif_connect() tears down an existing client after remote shutdown, it calls caif_free_client() which releases the service layer object referenced by adap_layer->dn but leaves the pointer stale. Later, when the socket destructor caif_sock_destructor() calls caif_free_client() again, it dereferences the already-freed service pointer, causing a use-after-free condition. The fix clears both the client-to-service (adap_layer->dn) and service-to-client (serv_layer->up) pointers before releasing the service object, making repeated teardown operations safe by preventing access to freed memory.

03Fix Versions

BranchFixed inPatch commit
5.105.10.258cffca7a18b8f
5.155.15.2097ef97d4675b0
6.16.1.175e16859f3f442
6.126.12.863ac6db584d9d
6.186.18.2763d21a3aa010
6.66.6.140914c6456fcfc
7.07.0.4a4b191ddc12c
mainline7.1-rc1f7cf8ece8cee