CVE-2026-46330 Overview
CVE-2026-46330 affects the Linux kernel's Shared Memory Communications (SMC) subsystem. The vulnerability stems from the now-reverted net/smc TCP Upper Layer Protocol (ULP) support, originally introduced in commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. The implementation attempted to convert an active TCP socket into an SMC socket by modifying the underlying struct file, dentry, and inode in-place. This approach violates core Virtual File System (VFS) invariants that assume these structures remain immutable for an open file. The design flaw introduces a risk of use-after-free errors and general system instability. Linux kernel maintainers resolved the issue by reverting the feature entirely rather than patching it.
Critical Impact
In-place modification of VFS structures by the SMC TCP ULP code can trigger use-after-free conditions and kernel instability on affected Linux systems.
Affected Products
- Linux kernel versions containing commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40 (net/smc TCP ULP support)
- Distributions shipping kernels with the net/smc ULP feature enabled
- Systems using Shared Memory Communications over TCP sockets
Discovery Timeline
- 2026-06-09 - CVE-2026-46330 published to the National Vulnerability Database
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46330
Vulnerability Analysis
The vulnerability resides in the SMC (Shared Memory Communications) protocol's TCP ULP integration path. SMC is a Linux kernel protocol that provides RDMA-accelerated socket communication. The reverted feature aimed to give legacy TCP applications transparent access to SMC by allowing in-place protocol conversion through the TCP ULP framework. Instead of creating new file objects, the code mutated existing struct file, dentry, and inode objects associated with an already-open TCP socket. The VFS layer assumes these structures do not change identity or operations during the lifetime of an open file. Violating this contract produces unsynchronized state across kernel subsystems referencing those objects.
Root Cause
The root cause is a design-level violation of VFS object immutability. Multiple kernel paths cache pointers to file operations, dentries, and inodes under the assumption they remain stable. Rewriting these fields in place leaves stale references in any code path that already observed the original TCP socket state, producing the conditions for a use-after-free [CWE-416].
Attack Vector
A local process that opens a TCP socket and attaches the smc ULP through setsockopt(TCP_ULP) can drive the kernel through the unsafe conversion path. Concurrent operations on the same file descriptor across threads or shared file table entries can race against the in-place mutation. The resulting dangling references may be reached during subsequent socket, file, or dentry operations.
No verified public exploit code is available. The defect was identified during code review by Al Viro and addressed by reverting the feature in commits 6c505d95 and df31a6b0.
Detection Methods for CVE-2026-46330
Indicators of Compromise
- Kernel oops or panic messages referencing smc, tcp_ulp, or VFS dentry/inode operations following socket activity
- Unexpected setsockopt calls specifying TCP_ULP with the value smc from non-SMC-aware workloads
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free conditions in socket or file teardown paths
Detection Strategies
- Audit running kernels for the presence of the net/smc TCP ULP code by checking kernel version against the reverting commits 6c505d95 and df31a6b0
- Enable auditd rules on setsockopt syscalls to surface processes attempting to register the smc ULP
- Correlate kernel ring buffer (dmesg) anomalies with process activity that uses TCP sockets and ULP attachment
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log events to a centralized log platform for kernel crash analysis
- Track unexpected reboots, soft lockups, and socket-related kernel warnings on Linux hosts
- Inventory kernel build versions across the fleet and flag hosts running affected commits before the revert
How to Mitigate CVE-2026-46330
Immediate Actions Required
- Update affected Linux hosts to a kernel build that includes the revert commits 6c505d95 and df31a6b0
- Identify workloads using TCP_ULP with the smc value and migrate them to supported transparency mechanisms such as LD_PRELOAD or BPF
- Restrict the ability of untrusted local users to call setsockopt(TCP_ULP) where feasible through seccomp or LSM policies
Patch Information
The upstream Linux kernel resolved this issue by reverting commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. Apply distribution kernel updates that incorporate the reverts referenced in the stable kernel git tree and the companion revert commit. Vendors shipping long-term support kernels should backport both commits.
Workarounds
- Disable the SMC kernel module where it is not required by running modprobe -r smc and blacklisting the module
- Use LD_PRELOAD-based SMC shims or eBPF socket programs for legacy application transparency instead of the in-kernel ULP path
- Apply seccomp filters to block setsockopt calls with TCP_ULP from untrusted processes
# Configuration example: blacklist the SMC module to prevent ULP attachment
echo 'blacklist smc' | sudo tee /etc/modprobe.d/blacklist-smc.conf
echo 'install smc /bin/true' | sudo tee -a /etc/modprobe.d/blacklist-smc.conf
sudo modprobe -r smc 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
