In the Linux kernel, the following vulnerability has been resolved:
bpf: sockmap: Fix use-after-free of sk->sksocket in skpsockverdictdata_ready().
syzbot reported use-after-free of AFUNIX socket's sk->sksocket in skpsockverdictdataready(). [0]
In unixstreamsendmsg(), the peer socket's ->skdataready() is called after dropping its unixstatelock().
Although the sender socket holds the peer's refcount, it does not prevent the peer's sockorphan(), and the peer's sksocket might be freed after one RCU grace period.
Let's fetch the peer's sk->sksocket and sk->sksocket->ops under RCU in skpsockverdictdataready().
Read of size 8 at addr ffff8880594da860 by task syz.4.1842/11013
CPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dumpstacklvl+0xe8/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xba/0x230 mm/kasan/report.c:482 kasanreport+0x117/0x150 mm/kasan/report.c:595 skpsockverdictdataready+0xec/0x590 net/core/skmsg.c:1278 unixstreamsendmsg+0x8a3/0xe80 net/unix/afunix.c:2482 socksendmsgnosec net/socket.c:721 [inline] __sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639 __sys_sendmsg net/socket.c:2671 [inline] __dosyssendmsg net/socket.c:2676 [inline] __sesyssendmsg net/socket.c:2674 [inline] _x64syssendmsg+0x1bd/0x2a0 net/socket.c:2674 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0x14d/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7facf899c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819 RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004 RBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78 </TASK>
Allocated by task 11013: kasansavestack mm/kasan/common.c:57 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:78 unpoisonslabobject mm/kasan/common.c:340 [inline] __kasanslaballoc+0x6c/0x80 mm/kasan/common.c:366 kasan_slaballoc include/linux/kasan.h:253 [inline] slabpostallochook mm/slub.c:4538 [inline] slaballocnode mm/slub.c:4866 [inline] kmemcachealloclrunoprof+0x2b8/0x640 mm/slub.c:4885 sockallocinode+0x28/0xc0 net/socket.c:316 allocinode+0x6a/0x1b0 fs/inode.c:347 newinodepseudo include/linux/fs.h:3003 [inline] sockalloc net/socket.c:631 [inline] __sockcreate+0x12d/0x9d0 net/socket.c:1562 sockcreate net/socket.c:1656 [inline] __sys_socketpair+0x1c4/0x560 net/socket.c:1803 __dosyssocketpair net/socket.c:1856 [inline] __sesyssocketpair net/socket.c:1853 [inline] __x64syssocketpair+0x9b/0xb0 net/socket.c:1853 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0x14d/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f
Freed by task 15: kasansavestack mm/kasan/common.c:57 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:78 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:584 poisonslab_object mm/kasan/common.c:253 [inline] _kasanslabfree+0x5c/0x80 mm/kasan/common.c:285 kasanslabfree include/linux/kasan.h:235 [inline] slabfreehook mm/slub.c:2685 [inline] slabfree mm/slub.c:6165 [inline] kmemcachefree+0x187/0x630 mm/slub.c:6295 rcudobatch kernel/rcu/tree.c: ---truncated---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43016.json",
"cna_assigner": "Linux"
}