CVE-2026-5590
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
A race condition during TCP connection teardown causes tcp_recv() to operate on a released connection. When tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer from stale context is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.
Risk Assessment
An attacker can intentionally trigger this vulnerability by sending crafted SYN packets, causing a system crash and potential denial of service (DoS).
Recommendation
Apply the patch provided by the operating system or TCP/IP library vendor immediately to fix the race condition and add NULL pointer validation.
Original NVD description (English source)
A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.

