In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.
| Product | Vendor | Version |
|---|---|---|
| Linux | Linux | < 10.0.14393.8519 |
| Linux | Linux | < 10.0.17763.7919 |
| Linux | Linux | n/a |
| Linux | Linux | Android-10 |