In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereference, address: 00000000000000a0 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ RIP: 0010:vsockconnectiblehasdata+0x1f/0x40 Call Trace: vsockbpfrecvmsg+0xca/0x5e0 sockrecvmsg+0xb9/0xc0 _sysrecvfrom+0xb3/0x130 _x64sysrecvfrom+0x20/0x30 dosyscall64+0x93/0x180 entrySYSCALL64afterhwframe+0x76/0x7e So we need to check the vsk->transport
in vsockbpfrecvmsg(), especially for connected sockets (stream/seqpacket) as we already do in _vsockconnectible_recvmsg().