HOMEVULNERABILITIESCVE-2026-53005
HIGH

CVE-2026-53005

Published: June 24, 2026· Updated: Jun 28, 2026

7.8
CVSS v3.1
EPSS:0.16%probability of exploitation in 30 daysPercentile:5.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Drop all SCM attributes for SOCKMAP.

SOCKMAP can hide inflight fd from AF_UNIX GC.

When a socket in SOCKMAP receives skb with inflight fd,

sk_psock_verdict_data_ready() looks up the mapped socket and

enqueue skb to its psock->ingress_skb.

Since neither the old nor the new GC can inspect the psock

queue, the hidden skb leaks the inflight sockets. Note that

this cannot be detected via kmemleak because inflight sockets

are linked to a global list.

In addition, SOCKMAP redirect breaks the Tarjan-based GC's

assumption that unix_edge.successor is always alive, which

is no longer true once skb is redirected, resulting in

use-after-free below. [0]

Moreover, SOCKMAP does not call scm_stat_del() properly,

so unix_show_fdinfo() could report an incorrect fd count.

sk_msg_recvmsg() does not support any SCM attributes in the

first place.

Let's drop all SCM attributes before passing skb to the

SOCKMAP layer.

[0]:

BUG: KASAN: slab-use-after-free in unix_del_edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251)

Read of size 8 at addr ffff888125362670 by task kworker/56:1/496

CPU: 56 UID: 0 PID: 496 Comm: kworker/56:1 Not tainted 7.0.0-rc7-00263-gb9d8b856689d #3 PREEMPT(lazy)

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014

Workqueue: events sk_psock_backlog

Call Trace:

<TASK>

dump_stack_lvl (lib/dump_stack.c:122)

print_report (mm/kasan/report.c:379)

kasan_report (mm/kasan/report.c:597)

unix_del_edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251)

unix_destroy_fpl (net/unix/garbage.c:317)

unix_destruct_scm (./include/net/scm.h:80 ./include/net/scm.h:86 net/unix/af_unix.c:1976)

sk_psock_backlog (./include/linux/skbuff.h:?)

process_scheduled_works (kernel/workqueue.c:?)

worker_thread (kernel/workqueue.c:?)

kthread (kernel/kthread.c:438)

ret_from_fork (arch/x86/kernel/process.c:164)

ret_from_fork_asm (arch/x86/entry/entry_64.S:258)

</TASK>

Allocated by task 955:

kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)

__kasan_slab_alloc (mm/kasan/common.c:369)

kmem_cache_alloc_noprof (mm/slub.c:4539)

sk_prot_alloc (net/core/sock.c:2240)

sk_alloc (net/core/sock.c:2301)

unix_create1 (net/unix/af_unix.c:1099)

unix_create (net/unix/af_unix.c:1169)

__sock_create (net/socket.c:1606)

__sys_socketpair (net/socket.c:1811)

__x64_sys_socketpair (net/socket.c:1863 net/socket.c:1860 net/socket.c:1860)

do_syscall_64 (arch/x86/entry/syscall_64.c:?)

entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Freed by task 496:

kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)

kasan_save_free_info (mm/kasan/generic.c:587)

__kasan_slab_free (mm/kasan/common.c:287)

kmem_cache_free (mm/slub.c:6165)

__sk_destruct (net/core/sock.c:2282 net/core/sock.c:2384)

sk_psock_destroy (./include/net/sock.h:?)

process_scheduled_works (kernel/workqueue.c:?)

worker_thread (kernel/workqueue.c:?)

kthread (kernel/kthread.c:438)

ret_from_fork (arch/x86/kernel/process.c:164)

ret_from_fork_asm (arch/x86/entry/entry_64.S:258)

NVD Source

Technical Analysis

CVE-2026-53005 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxDebian
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-53005
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.16%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53005 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.