{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53034", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.380Z", "datePublished": "2026-06-24T16:29:41.676Z", "dateUpdated": "2026-06-24T16:29:41.676Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T16:29:41.676Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix af_unix null-ptr-deref in proto update\n\nunix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,\nTCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).\nsk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that\nsocket is properly set up, which would include having a defined peer. IOW,\nthere's a window when unix_stream_bpf_update_proto() can be called on\nsocket which still has unix_peer(sk) == NULL.\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\nsock_map_sk_state_allowed(sk)\n...\nsk_pair = unix_peer(sk)\nsock_hold(sk_pair)\n sock_hold(newsk)\n smp_mb__after_atomic()\n unix_peer(sk) = newsk\n\nBUG: kernel NULL pointer dereference, address: 0000000000000080\nRIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0\nCall Trace:\n sock_map_link+0x564/0x8b0\n sock_map_update_common+0x6e/0x340\n sock_map_update_elem_sys+0x17d/0x240\n __sys_bpf+0x26db/0x3250\n __x64_sys_bpf+0x21/0x30\n do_syscall_64+0x6b/0x3a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInitial idea was to move peer assignment _before_ the sk_state update[1],\nbut that involved an additional memory barrier, and changing the hot path\nwas rejected.\nThen a NULL check during proto update in unix_stream_bpf_update_proto() was\nconsidered[2], but the follow-up discussion[3] focused on the root cause,\ni.e. sockmap update taking a wrong lock. Or, more specifically, missing\nunix_state_lock()[4].\nIn the end it was concluded that teaching sockmap about the af_unix locking\nwould be unnecessarily complex[5].\nComplexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT\nare allowed to update sockmaps, sock_map_update_elem() taking the unix\nlock, as it is currently implemented in unix_state_lock():\nspin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken\nin a process context, followed by a softirq-context TC BPF program\nattempting to take the same spinlock -- deadlock[6].\nThis way we circled back to the peer check idea[2].\n\n[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/\n[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/\n[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/\n[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/\n[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/\n[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/\n\nSummary of scenarios where af_unix/stream connect() may race a sockmap\nupdate:\n\n1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()\n\n Implemented NULL check is sufficient. Once assigned, socket peer won't\n be released until socket fd is released. And that's not an issue because\n sock_map_update_elem_sys() bumps fd refcnf.\n\n2. connect() vs BPF program doing update\n\n Update restricted per verifier.c:may_update_sockmap() to\n\n BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER\n BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)\n BPF_PROG_TYPE_SOCKET_FILTER\n BPF_PROG_TYPE_SCHED_CLS\n BPF_PROG_TYPE_SCHED_ACT\n BPF_PROG_TYPE_XDP\n BPF_PROG_TYPE_SK_REUSEPORT\n BPF_PROG_TYPE_FLOW_DISSECTOR\n BPF_PROG_TYPE_SK_LOOKUP\n\n Plus one more race to consider:\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\n sock_map_sk_state_allowed(sk)\n sock_hold(newsk)\n smp_mb__after_atomic()\n \n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/unix/unix_bpf.c"], "versions": [{"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4", "status": "affected", "versionType": "git"}, {"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "a94d3dd78ee8b63e6b8ad629081c952c93ee5a10", "status": "affected", "versionType": "git"}, {"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "4913c94a3adcdbb64c552110c0c243cb1fdbb317", "status": "affected", "versionType": "git"}, {"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "041eb6348d73ee5e15fc8161f1eac5a6e8289ca0", "status": "affected", "versionType": "git"}, {"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "37bfcd164161b47d00b1c3bd20adc816a6977ce0", "status": "affected", "versionType": "git"}, {"version": "c63829182c37c2d6d0608976d15fa61ebebe9e6b", "lessThan": "dca38b7734d2ea00af4818ff3ae836fab33d5d5a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/unix/unix_bpf.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.175", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.141", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.91", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.33", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.10", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.141"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.33"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4"}, {"url": "https://git.kernel.org/stable/c/a94d3dd78ee8b63e6b8ad629081c952c93ee5a10"}, {"url": "https://git.kernel.org/stable/c/4913c94a3adcdbb64c552110c0c243cb1fdbb317"}, {"url": "https://git.kernel.org/stable/c/041eb6348d73ee5e15fc8161f1eac5a6e8289ca0"}, {"url": "https://git.kernel.org/stable/c/37bfcd164161b47d00b1c3bd20adc816a6977ce0"}, {"url": "https://git.kernel.org/stable/c/dca38b7734d2ea00af4818ff3ae836fab33d5d5a"}], "title": "bpf, sockmap: Fix af_unix null-ptr-deref in proto update", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: bpf, sockmap: Fix af_unix null-ptr-deref in proto update", "id": "2492346", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492346"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) and sockmap components, specifically within the af_unix socket operations. A race condition occurs during the connection process where a socket's state is updated before its peer is fully assigned. This timing issue can lead to a null-pointer dereference when the unix_stream_bpf_update_proto() function is called, potentially causing a system crash and resulting in a Denial of Service (DoS)."], "name": "CVE-2026-53034", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53034\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53034\nhttps://lore.kernel.org/linux-cve-announce/2026062455-CVE-2026-53034-c0bb@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,a94d3dd78ee8b63e6b8ad629081c952c93ee5a10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,4913c94a3adcdbb64c552110c0c243cb1fdbb317)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,041eb6348d73ee5e15fc8161f1eac5a6e8289ca0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,37bfcd164161b47d00b1c3bd20adc816a6977ce0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c63829182c37c2d6d0608976d15fa61ebebe9e6b,dca38b7734d2ea00af4818ff3ae836fab33d5d5a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.175,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.141,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.91,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.33,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.10,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-06-24T19:45:05.748064+00:00", "updated": "2026-06-26T06:30:17.481374+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}