Severity: Unknown
Affected Package: kernel/tcp_rack
Summary: Use-after-free in the TCP RACK stack setsockopt(2) handler (CVE-2026-49422)
The RACK TCP stack (tcp_rack.ko) setsockopt(2) handler drops the connection lock to copy option data from userspace, then reacquires it. After reacquiring, it verified that the stack had not been switched away but did not reload its pointer to the stack's per-connection control block. 1. Use-after-free in rack_set_sockopt() (CWE-416, CVE-2026-49422) - if userspace switches stacks twice during the window, the check succeeds but the saved pointer refers to freed memory. An unprivileged local user may be able to escalate privileges. Only systems that have loaded tcp_rack.ko are affected; the module is not loaded by default.
No specific recommendations provided.
Aliases: CVE-2026-49422
Published: July 01, 2026
Last Modified: July 01, 2026