{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53005", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.377Z", "datePublished": "2026-06-24T16:29:16.901Z", "dateUpdated": "2026-06-28T06:37:55.507Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-28T06:37:55.507Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop all SCM attributes for SOCKMAP.\n\nSOCKMAP can hide inflight fd from AF_UNIX GC.\n\nWhen a socket in SOCKMAP receives skb with inflight fd,\nsk_psock_verdict_data_ready() looks up the mapped socket and\nenqueue skb to its psock->ingress_skb.\n\nSince neither the old nor the new GC can inspect the psock\nqueue, the hidden skb leaks the inflight sockets. Note that\nthis cannot be detected via kmemleak because inflight sockets\nare linked to a global list.\n\nIn addition, SOCKMAP redirect breaks the Tarjan-based GC's\nassumption that unix_edge.successor is always alive, which\nis no longer true once skb is redirected, resulting in\nuse-after-free below. [0]\n\nMoreover, SOCKMAP does not call scm_stat_del() properly,\nso unix_show_fdinfo() could report an incorrect fd count.\n\nsk_msg_recvmsg() does not support any SCM attributes in the\nfirst place.\n\nLet's drop all SCM attributes before passing skb to the\nSOCKMAP layer.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_del_edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251)\nRead of size 8 at addr ffff888125362670 by task kworker/56:1/496\n\nCPU: 56 UID: 0 PID: 496 Comm: kworker/56:1 Not tainted 7.0.0-rc7-00263-gb9d8b856689d #3 PREEMPT(lazy)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\nWorkqueue: events sk_psock_backlog\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:379)\n kasan_report (mm/kasan/report.c:597)\n unix_del_edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251)\n unix_destroy_fpl (net/unix/garbage.c:317)\n unix_destruct_scm (./include/net/scm.h:80 ./include/net/scm.h:86 net/unix/af_unix.c:1976)\n sk_psock_backlog (./include/linux/skbuff.h:?)\n process_scheduled_works (kernel/workqueue.c:?)\n worker_thread (kernel/workqueue.c:?)\n kthread (kernel/kthread.c:438)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:258)\n </TASK>\n\nAllocated by task 955:\n kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)\n __kasan_slab_alloc (mm/kasan/common.c:369)\n kmem_cache_alloc_noprof (mm/slub.c:4539)\n sk_prot_alloc (net/core/sock.c:2240)\n sk_alloc (net/core/sock.c:2301)\n unix_create1 (net/unix/af_unix.c:1099)\n unix_create (net/unix/af_unix.c:1169)\n __sock_create (net/socket.c:1606)\n __sys_socketpair (net/socket.c:1811)\n __x64_sys_socketpair (net/socket.c:1863 net/socket.c:1860 net/socket.c:1860)\n do_syscall_64 (arch/x86/entry/syscall_64.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 496:\n kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)\n kasan_save_free_info (mm/kasan/generic.c:587)\n __kasan_slab_free (mm/kasan/common.c:287)\n kmem_cache_free (mm/slub.c:6165)\n __sk_destruct (net/core/sock.c:2282 net/core/sock.c:2384)\n sk_psock_destroy (./include/net/sock.h:?)\n process_scheduled_works (kernel/workqueue.c:?)\n worker_thread (kernel/workqueue.c:?)\n kthread (kernel/kthread.c:438)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:258)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/unix/af_unix.c"], "versions": [{"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "b34a1d83c74a124c968b5adb25c809db3e2eb86a", "status": "affected", "versionType": "git"}, {"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "965dc93481d1b80d341bdd16c27b16fe197175ee", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/unix/af_unix.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.10", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b34a1d83c74a124c968b5adb25c809db3e2eb86a"}, {"url": "https://git.kernel.org/stable/c/965dc93481d1b80d341bdd16c27b16fe197175ee"}], "title": "af_unix: Drop all SCM attributes for SOCKMAP.", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: af_unix: Drop all SCM attributes for SOCKMAP", "id": "2492381", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492381"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's af_unix component, specifically within its SOCKMAP feature. This vulnerability stems from the kernel's improper handling of Socket Control Message (SCM) attributes when data is passed to the SOCKMAP layer. This can lead to a use-after-free condition, which may allow an attacker to cause system instability or a denial of service. The issue also contributes to resource leaks of file descriptors and inaccurate reporting of file descriptor counts."], "name": "CVE-2026-53005", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53005\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53005\nhttps://lore.kernel.org/linux-cve-announce/2026062448-CVE-2026-53005-b325@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,b34a1d83c74a124c968b5adb25c809db3e2eb86a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,965dc93481d1b80d341bdd16c27b16fe197175ee)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0.10,8.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-06-24T19:45:05.749003+00:00", "updated": "2026-06-28T13:45:06.276595+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}