{"cve":{"cve_id":"CVE-2026-53005","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop all SCM attributes for SOCKMAP.\n\nSOCKMAP can hide inflight fd from AF_UNIX GC.\n\nWhen a socket in SOCKMAP receives skb with inflight fd,\nsk_psock_verdict_data_ready() looks up the mapped socket and\nenqueue skb to its psock->ingress_skb.\n\nSince neither the old nor the new GC can inspect the psock\nqueue, the hidden skb leaks the inflight sockets.  Note that\nthis cannot be detected via kmemleak because inflight sockets\nare linked to a global list.\n\nIn addition, SOCKMAP redirect breaks the Tarjan-based GC's\nassumption that unix_edge.successor is always alive, which\nis no longer true once skb is redirected, resulting in\nuse-after-free below. [0]\n\nMoreover, SOCKMAP does not call scm_stat_del() properly,\nso unix_show_fdinfo() could report an incorrect fd count.\n\nsk_msg_recvmsg() does not support any SCM attributes in the\nfirst place.\n\nLet's drop all SCM attributes before passing skb to the\nSOCKMAP layer.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_del_edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251)\nRead of size 8 at addr ffff888125362670 by task kworker/56:1/496\n\nCPU: 56 UID: 0 PID: 496 Comm: kworker/56:1 Not tainted 7.0.0-rc7-00263-gb9d8b856689d #3 PREEMPT(lazy)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\nWorkqueue: events sk_psock_backlog\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:379)\n kasan_report (mm/kasan/report.c:597)\n unix_del_edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251)\n unix_destroy_fpl (net/unix/garbage.c:317)\n unix_destruct_scm (./include/net/scm.h:80 ./include/net/scm.h:86 net/unix/af_unix.c:1976)\n sk_psock_backlog (./include/linux/skbuff.h:?)\n process_scheduled_works (kernel/workqueue.c:?)\n worker_thread (kernel/workqueue.c:?)\n kthread (kernel/kthread.c:438)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:258)\n </TASK>\n\nAllocated by task 955:\n kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)\n __kasan_slab_alloc (mm/kasan/common.c:369)\n kmem_cache_alloc_noprof (mm/slub.c:4539)\n sk_prot_alloc (net/core/sock.c:2240)\n sk_alloc (net/core/sock.c:2301)\n unix_create1 (net/unix/af_unix.c:1099)\n unix_create (net/unix/af_unix.c:1169)\n __sock_create (net/socket.c:1606)\n __sys_socketpair (net/socket.c:1811)\n __x64_sys_socketpair (net/socket.c:1863 net/socket.c:1860 net/socket.c:1860)\n do_syscall_64 (arch/x86/entry/syscall_64.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 496:\n kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)\n kasan_save_free_info (mm/kasan/generic.c:587)\n __kasan_slab_free (mm/kasan/common.c:287)\n kmem_cache_free (mm/slub.c:6165)\n __sk_destruct (net/core/sock.c:2282 net/core/sock.c:2384)\n sk_psock_destroy (./include/net/sock.h:?)\n process_scheduled_works (kernel/workqueue.c:?)\n worker_thread (kernel/workqueue.c:?)\n kthread (kernel/kthread.c:438)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:258)","published_at":"2026-06-24T16:29:16.901000Z","last_modified_at":null,"cvss_v3_score":7.8,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/b34a1d83c74a124c968b5adb25c809db3e2eb86a","https://git.kernel.org/stable/c/965dc93481d1b80d341bdd16c27b16fe197175ee"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:22.518073Z","updated_at":"2026-06-28T23:30:49.890169Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","version_start_inclusive":true,"version_end":"b34a1d83c74a124c968b5adb25c809db3e2eb86a","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:c63829182c37c2d6d0608976d15fa61ebebe9e6b:b34a1d83c74a124c968b5adb25c809db3e2eb86a"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","version_start_inclusive":true,"version_end":"965dc93481d1b80d341bdd16c27b16fe197175ee","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:c63829182c37c2d6d0608976d15fa61ebebe9e6b:965dc93481d1b80d341bdd16c27b16fe197175ee"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.15","version_start_inclusive":true,"version_end":"5.15","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.15:5.15"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"5.15","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:5.15"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.10","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.10:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/b34a1d83c74a124c968b5adb25c809db3e2eb86a","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/965dc93481d1b80d341bdd16c27b16fe197175ee","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-24T16:29:16.901000Z","label":"CVE published","source":null}]}