CVE-2026-53034

Source
https://cve.org/CVERecord?id=CVE-2026-53034
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53034.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53034
Downstream
Published
2026-06-24T16:29:41.676Z
Modified
2026-07-12T03:54:52.801755044Z
Summary
bpf, sockmap: Fix af_unix null-ptr-deref in proto update
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix af_unix null-ptr-deref in proto update

unixstreamconnect() sets skstate (WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)) before it assigns a peer (unix_peer(sk) = newsk). skstate == TCPESTABLISHED makes sockmapskstateallowed() believe that socket is properly set up, which would include having a defined peer. IOW, there's a window when unixstreambpfupdateproto() can be called on socket which still has unixpeer(sk) == NULL.

     CPU0 bpf                            CPU1 connect
     --------                            ------------

                            WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)

sockmapskstateallowed(sk) ... skpair = unixpeer(sk) sockhold(skpair) sockhold(newsk) smpmb__afteratomic() unixpeer(sk) = newsk

BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:unixstreambpfupdateproto+0xa0/0x1b0 Call Trace: sockmaplink+0x564/0x8b0 sockmapupdatecommon+0x6e/0x340 sockmapupdateelem_sys+0x17d/0x240 __sys_bpf+0x26db/0x3250 __x64sysbpf+0x21/0x30 dosyscall64+0x6b/0x3a0 entrySYSCALL64afterhwframe+0x76/0x7e

Initial idea was to move peer assignment before the skstate update[1], but that involved an additional memory barrier, and changing the hot path was rejected. Then a NULL check during proto update in unixstreambpfupdateproto() was considered[2], but the follow-up discussion[3] focused on the root cause, i.e. sockmap update taking a wrong lock. Or, more specifically, missing unixstatelock()[4]. In the end it was concluded that teaching sockmap about the afunix locking would be unnecessarily complex[5]. Complexity aside, since BPFPROGTYPESCHEDCLS and BPFPROGTYPESCHEDACT are allowed to update sockmaps, sockmapupdateelem() taking the unix lock, as it is currently implemented in unixstatelock(): spinlock(&unixsk(s)->lock), would be problematic. unixstate_lock() taken in a process context, followed by a softirq-context TC BPF program attempting to take the same spinlock -- deadlock[6]. This way we circled back to the peer check idea[2].

Summary of scenarios where af_unix/stream connect() may race a sockmap update:

  1. connect() vs. bpf(BPFMAPUPDATEELEM), i.e. sockmapupdateelem_sys()

    Implemented NULL check is sufficient. Once assigned, socket peer won't be released until socket fd is released. And that's not an issue because sockmapupdateelemsys() bumps fd refcnf.

  2. connect() vs BPF program doing update

    Update restricted per verifier.c:mayupdatesockmap() to

    BPFPROGTYPETRACING/BPFTRACEITER BPFPROGTYPESOCKOPS (bpfsockmapupdate() only) BPFPROGTYPESOCKETFILTER BPFPROGTYPESCHEDCLS BPFPROGTYPESCHEDACT BPFPROGTYPEXDP BPFPROGTYPESKREUSEPORT BPFPROGTYPEFLOWDISSECTOR BPFPROGTYPESK_LOOKUP

    Plus one more race to consider:

         CPU0 bpf                            CPU1 connect
         --------                            ------------
    
                                WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
    

    sockmapskstateallowed(sk) sockhold(newsk) smpmb_afteratomic()

---truncated---

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53034.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c63829182c37c2d6d0608976d15fa61ebebe9e6b
Fixed
75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4
Fixed
a94d3dd78ee8b63e6b8ad629081c952c93ee5a10
Fixed
4913c94a3adcdbb64c552110c0c243cb1fdbb317
Fixed
041eb6348d73ee5e15fc8161f1eac5a6e8289ca0
Fixed
37bfcd164161b47d00b1c3bd20adc816a6977ce0
Fixed
dca38b7734d2ea00af4818ff3ae836fab33d5d5a

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53034.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53034.json"