CVE-2026-52941: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-52941 is a NULL pointer dereference vulnerability in the Linux kernel's SMC (Shared Memory Communications) subsystem, specifically in the smc_msg_event tracepoint. The tracepoint unconditionally dereferences conn->lnk->ibname, but conn->lnk is only set for SMC-R connections and is NULL for SMC-D connections, causing a kernel crash when sendmsg() or recvmsg() is called on an SMC-D socket while the tracepoint is enabled. The vulnerability was disclosed on June 24, 2026, and affects Linux kernel versions from 5.16 up to the patched stable releases. Feedly estimates the severity as HIGH; the ENISA/EUVD base score is listed as 0.0 pending full NVD scoring (GitHub Advisory, EUVD).

The root cause is a NULL pointer dereference (CWE-476) in net/smc/smc_tracepoint.h at line 44, where the smc_msg_event tracepoint class — shared by smc_tx_sendmsg and smc_rx_recvmsg — calls __string(name, smc->conn.lnk->ibname) without first checking whether conn->lnk is NULL. The conn->lnk field is only populated for SMC-R (RDMA-based) connections; for SMC-D (Direct Memory Access via ISM device) connections it remains NULL. Enabling the tracepoint requires root privileges, but triggering the crash does not: socket(AF_SMC, ...) has no capability check, and SMC-D negotiation requires no administrative step on s390 or on x86 with the loopback ISM device loaded. The faulting address 0x3e0 corresponds to offsetof(struct smc_link, ibname), confirming the NULL dereference (GitHub Advisory).

Successful exploitation causes a kernel panic (general protection fault / KASAN null-ptr-deref), resulting in a complete denial of service for the affected system. An unprivileged local user can crash the kernel by simply calling sendmsg() or recvmsg() on an SMC-D socket once a privileged user has enabled the tracepoint, making this a privilege-escalation-assisted DoS scenario. There is no evidence of confidentiality or integrity impact; the vulnerability is limited to availability (GitHub Advisory, EUVD).

1. Prerequisite — Enable tracepoint (requires root): A privileged user enables the smc_msg_event tracepoint, e.g., via echo 1 > /sys/kernel/debug/tracing/events/smc/smc_rx_recvmsg/enable or the equivalent smc_tx_sendmsg event.
2. Identify SMC-D availability: Confirm that the target system supports SMC-D — either an s390 system or an x86 system with the loopback ISM device (ism kernel module) loaded.
3. Create SMC-D socket (unprivileged): As an unprivileged local user, open an AF_SMC socket: socket(AF_SMC, SOCK_STREAM, SMCPROTO_SMC). No capability check is enforced.
4. Establish SMC-D connection: Connect to a peer that negotiates SMC-D (e.g., loopback ISM), resulting in conn->lnk remaining NULL.
5. Trigger the crash: Call sendmsg() or recvmsg() on the SMC-D socket. The active tracepoint dereferences the NULL conn->lnk, causing a general protection fault and kernel panic (GitHub Advisory).

• Logs: Kernel oops messages containing general protection fault or KASAN: null-ptr-deref in range in /var/log/kern.log or dmesg output; stack trace referencing trace_event_raw_event_smc_msg_event, smc_rx_recvmsg, smc_recvmsg, __sys_recvfrom.
• Logs: Faulting address 0x3e0 in the oops output, corresponding to offsetof(struct smc_link, ibname).
• Process: Unexpected AF_SMC socket creation by non-privileged processes visible in ss -a or /proc/net/af_smc output.
• Kernel Tracing: The smc_rx_recvmsg or smc_tx_sendmsg tracepoint enabled in /sys/kernel/debug/tracing/events/smc/ when not expected in production.

Apply the available kernel patches backported to stable branches: 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, and 7.1 (mainline). The fix logs an empty device name for SMC-D connections instead of dereferencing the NULL conn->lnk pointer. As a workaround, disable the smc_msg_event tracepoint (do not enable smc_tx_sendmsg or smc_rx_recvmsg tracepoints) in production systems where SMC-D is in use, and restrict tracepoint enablement to trusted administrators only (GitHub Advisory, EUVD).