CVE-2026-53005

Source
https://cve.org/CVERecord?id=CVE-2026-53005
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53005.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53005
Downstream
Published
2026-06-24T16:29:16.901Z
Modified
2026-07-12T03:55:07.018478613Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
af_unix: Drop all SCM attributes for SOCKMAP.
Details

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Drop all SCM attributes for SOCKMAP.

SOCKMAP can hide inflight fd from AF_UNIX GC.

When a socket in SOCKMAP receives skb with inflight fd, skpsockverdictdataready() looks up the mapped socket and enqueue skb to its psock->ingress_skb.

Since neither the old nor the new GC can inspect the psock queue, the hidden skb leaks the inflight sockets. Note that this cannot be detected via kmemleak because inflight sockets are linked to a global list.

In addition, SOCKMAP redirect breaks the Tarjan-based GC's assumption that unix_edge.successor is always alive, which is no longer true once skb is redirected, resulting in use-after-free below. [0]

Moreover, SOCKMAP does not call scmstatdel() properly, so unixshowfdinfo() could report an incorrect fd count.

skmsgrecvmsg() does not support any SCM attributes in the first place.

Let's drop all SCM attributes before passing skb to the SOCKMAP layer.

Read of size 8 at addr ffff888125362670 by task kworker/56:1/496

CPU: 56 UID: 0 PID: 496 Comm: kworker/56:1 Not tainted 7.0.0-rc7-00263-gb9d8b856689d #3 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Workqueue: events skpsockbacklog Call Trace: <TASK> dumpstacklvl (lib/dumpstack.c:122) printreport (mm/kasan/report.c:379) kasanreport (mm/kasan/report.c:597) unixdeledges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251) unixdestroyfpl (net/unix/garbage.c:317) unixdestructscm (./include/net/scm.h:80 ./include/net/scm.h:86 net/unix/afunix.c:1976) skpsockbacklog (./include/linux/skbuff.h:?) processscheduledworks (kernel/workqueue.c:?) workerthread (kernel/workqueue.c:?) kthread (kernel/kthread.c:438) retfromfork (arch/x86/kernel/process.c:164) retfromforkasm (arch/x86/entry/entry_64.S:258) </TASK>

Allocated by task 955: kasansavetrack (mm/kasan/common.c:58 mm/kasan/common.c:78) __kasanslaballoc (mm/kasan/common.c:369) kmemcacheallocnoprof (mm/slub.c:4539) skprotalloc (net/core/sock.c:2240) skalloc (net/core/sock.c:2301) unixcreate1 (net/unix/afunix.c:1099) unixcreate (net/unix/afunix.c:1169) __sock_create (net/socket.c:1606) __sys_socketpair (net/socket.c:1811) __x64syssocketpair (net/socket.c:1863 net/socket.c:1860 net/socket.c:1860) dosyscall64 (arch/x86/entry/syscall64.c:?) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:130)

Freed by task 496: kasansavetrack (mm/kasan/common.c:58 mm/kasan/common.c:78) kasansavefree_info (mm/kasan/generic.c:587) __kasanslabfree (mm/kasan/common.c:287) kmemcachefree (mm/slub.c:6165) __skdestruct (net/core/sock.c:2282 net/core/sock.c:2384) skpsockdestroy (./include/net/sock.h:?) processscheduledworks (kernel/workqueue.c:?) workerthread (kernel/workqueue.c:?) kthread (kernel/kthread.c:438) retfromfork (arch/x86/kernel/process.c:164) retfromforkasm (arch/x86/entry/entry64.S:258)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53005.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c63829182c37c2d6d0608976d15fa61ebebe9e6b
Fixed
b34a1d83c74a124c968b5adb25c809db3e2eb86a
Fixed
965dc93481d1b80d341bdd16c27b16fe197175ee

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53005.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53005.json"