CVE Catalog

CVE-2026-5590

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile - higher than 5% of all known CVEs

Summary

A race condition during TCP connection teardown causes tcp_recv() to operate on a released connection. When tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer from stale context is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.

Risk Assessment

An attacker can intentionally trigger this vulnerability by sending crafted SYN packets, causing a system crash and potential denial of service (DoS).

Recommendation

Apply the patch provided by the operating system or TCP/IP library vendor immediately to fix the race condition and add NULL pointer validation.

Original NVD description (English source)

A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS