CVE-2026-53292

Source
https://cve.org/CVERecord?id=CVE-2026-53292
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53292.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53292
Downstream
Published
2026-06-26T19:40:51.470Z
Modified
2026-07-09T03:51:23.599543803Z
Summary
net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
Details

In the Linux kernel, the following vulnerability has been resolved:

net: phonet: do not BUGON() in pnsocket_autobind() on failed bind

syzbot reported a kernel BUG triggered from pnsocketsendmsg() via pnsocketautobind():

kernel BUG at net/phonet/socket.c:213! RIP: 0010:pnsocketautobind net/phonet/socket.c:213 [inline] RIP: 0010:pnsocketsendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: socksendmsgnosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] _syssendto+0x402/0x590 net/socket.c:2280 ...

pnsocketautobind() calls pnsocketbind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero:

err = pnsocketbind(sock, ..., sizeof(struct sockaddrpn)); if (err != -EINVAL) return err; BUGON(!pnport(pnsk(sock->sk)->sobject)); return 0; /* socket was already bound */

However pnsocketbind() also returns -EINVAL when sk->skstate is not TCPCLOSE, even when the socket has never been bound and pnport() is still 0. In that case the BUGON() fires and panics the kernel from a user-triggerable path.

Treat the "bind returned -EINVAL but pnport() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pnsocket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53292.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ba113a94b7503ee23ffe819e7045134b0c1d31de
Fixed
6db58ee730bf434d1afca91b91826e26688856ed
Fixed
5b0c911bcdbd982f7748d11c0b39ec5808eae2de

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53292.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.28
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53292.json"