HIGH 7.8

CVE-2026-46330: Linux Kernel SMC TCP ULP Local Privilege Escalation (Use-After-Free)

A vulnerability in the Linux kernel's SMC (Shared Memory Communications) protocol implementation allows a local, authenticated attacker to crash the system or potentially execute code with elevated privileges. The flaw stems from a TCP ULP (Upper Layer Protocol) feature that incorrectly modifies core kernel file system structures in ways that violate fundamental assumptions about how those structures should behave, leading to memory safety violations. The kernel maintainers have resolved this by removing the problematic feature entirely, as the design approach was fundamentally flawed and alternatives exist for achieving the same transparency goals.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an active TCP socket into an SMC socket by modifying the underlying `struct file`, dentry, and inode in-place, which violates core VFS invariants that assume these structures are immutable for an open file, creating a risk of use after free errors and general system instability. Given the severity of this design flaw and the fact that cleaner alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application transparency, the correct course of action is to remove this feature entirely.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46330 represents a use-after-free vulnerability (CWE-416) in the Linux kernel's SMC TCP ULP implementation. The vulnerable code attempted to transparently convert active TCP sockets to SMC sockets by in-place modification of struct file, dentry, and inode structures. This approach violated VFS (Virtual File System) invariants that treat these kernel data structures as immutable once a file is open. An attacker with local access and valid user credentials could trigger this code path, resulting in memory corruption. The fix removes the entire TCP ULP feature for SMC, as the architectural approach was determined to be unsalvageable. The revert restores the system to a state where SMC sockets are created only through explicit socket() calls rather than transparent protocol conversion.

Business impact

Affected systems face a local privilege escalation and denial-of-service risk. A non-root user with shell access can crash the kernel or potentially gain root-level code execution. This is particularly dangerous in multi-tenant environments, container orchestration platforms, and shared hosting scenarios where user isolation is critical. Organizations must prioritize patching to eliminate this attack surface, especially on systems exposed to untrusted local users or where workload isolation depends on kernel memory safety.

Affected systems

All Linux kernel versions that include the SMC TCP ULP support feature are affected. This includes recent stable and long-term support (LTS) kernels where this feature was merged. The vulnerability requires local access with a valid user account; remote exploitation is not possible. Systems with strict local user restrictions (single-user or administrative-only access) face lower risk, but any system allowing unprivileged user logins should be patched.

Exploitability

Exploitation requires local system access and valid user credentials; a remote attacker cannot trigger this vulnerability over the network. However, the attack itself is straightforward—a local user can invoke the vulnerable code path through normal socket operations, making it highly exploitable once access is gained. No complex race conditions, side-channel techniques, or information leaks are needed. The CVSS score of 7.8 (HIGH) reflects the local-only requirement but acknowledges the high impact (confidentiality, integrity, and availability all affected).

Remediation

Apply the kernel patch that reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40, which removes the SMC TCP ULP feature entirely. This revert is the definitive fix and has been merged into the mainline kernel. Users relying on transparent SMC protocol conversion for legacy applications should migrate to alternative approaches such as LD_PRELOAD wrappers, BPF-based socket redirection, or explicit SMC socket creation through updated application code. No functional workaround exists for the vulnerable feature itself; removal is the correct resolution.

Patch guidance

Obtain kernel updates from your Linux distribution or the kernel.org repository. The exact version numbers vary by distribution; verify against your vendor's advisory for Red Hat, Ubuntu, SUSE, Debian, and other maintainers. LTS kernel branches (5.15, 6.1, 6.6) should have patches available or in progress. After applying patches, reboot to load the fixed kernel. Verify the fix by confirming the kernel version and checking release notes for the revert commit. If you are using a custom or self-compiled kernel, apply the revert to your kernel source tree and rebuild.

Detection guidance

Monitor system logs for signs of kernel oops, segmentation faults, or unexpected process terminations that could indicate exploitation. Intrusion detection rules should flag attempts to manipulate SMC socket behavior through unusual socket() syscall patterns. Kernel ASAN (Address Sanitizer) or KSAN builds will immediately catch use-after-free memory violations. For runtime detection, watch for: unexpected kernel panics or page faults in SMC-related code paths, denial-of-service conditions coinciding with active user sessions, and any alerts from memory-safety monitoring tools. File Integrity Monitoring (FIM) on kernel modules confirms patch application.

Why prioritize this

This vulnerability merits immediate patching due to its HIGH severity score, local privilege escalation capability, and the simplicity of exploitation. Any system with untrusted local users (multi-user systems, containers, shared hosting) faces direct risk. The architectural nature of the flaw—a violation of fundamental kernel invariants—suggests potential for secondary exploits or instability even if direct privilege escalation is not triggered. The upstream kernel community's decision to remove the entire feature signals confidence that no safe fix exists; patching eliminates the attack surface entirely rather than hardening a flawed design.

Risk score, explained

The CVSS v3.1 score of 7.8 reflects: (1) Local attack vector (AV:L)—requires user-level system access, reducing the attack surface compared to network exploits; (2) Low complexity (AC:L)—no special conditions or race conditions needed; (3) Low privileges required (PR:L)—a standard unprivileged user can exploit it; (4) No user interaction (UI:N); (5) Unchanged scope (S:U); and (6) High impact across confidentiality, integrity, and availability (C:H/I:H/A:H)—the use-after-free can leak kernel memory, corrupt critical structures, and crash the system. The score appropriately balances the local-only requirement against the severe consequences.

Frequently asked questions

Can this vulnerability be exploited remotely or over the network?

No. The vulnerability requires local system access with valid user credentials. Network-based attacks are not possible. Risk is limited to systems where untrusted users have shell access or login privileges.

What is SMC (Shared Memory Communications) and why was TCP ULP support added in the first place?

SMC is an optimization protocol for low-latency, high-throughput communication in data centers by leveraging remote direct memory access (RDMA) hardware. The TCP ULP feature attempted to transparently convert existing TCP sockets to SMC without requiring application code changes. However, the implementation's approach of modifying immutable kernel file system structures violated fundamental VFS assumptions and was found to be unsalvageable.

If I have SMC hardware and rely on SMC for performance, am I forced to rewrite my applications?

Not necessarily. The revert removes only the transparent TCP ULP conversion feature. Applications can still explicitly create SMC sockets through updated socket creation code, or use alternative user-space mechanisms like LD_PRELOAD or eBPF to achieve transparency without violating kernel invariants. Consult with your SMC/RDMA vendor or kernel community for migration guidance.

Is this vulnerability tracked on CISA's Known Exploited Vulnerabilities (KEV) list?

No, this vulnerability is not currently listed on the CISA KEV catalog. However, the HIGH severity score and local privilege escalation capability mean it should still be treated as a critical patch priority.

This analysis is based on the CVE record and upstream kernel communications as of the publication date. Patch availability, version numbers, and timelines vary by Linux distribution; always verify against your vendor's official security advisory before deployment. No exploit code or weaponized proof-of-concept is provided. Organizations should validate patches in non-production environments before production rollout. This page does not constitute legal or professional security advice; consult your organization's security team for risk assessment specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).