CVE-2026-53005

In the Linux kernel, the following vulnerability has been resolved:

af unix: Drop all SCM attributes for SOCKMAP.

SOCKMAP can hide inflight fd from AF UNIX GC.

When a socket in SOCKMAP receives skb with inflight fd, sk psock verdict data ready() looks up the mapped socket and enqueue skb to its psock->ingress skb.

Since neither the old nor the new GC can inspect the psock queue, the hidden skb leaks the inflight sockets. Note that this cannot be detected via kmemleak because inflight sockets are linked to a global list.

In addition, SOCKMAP redirect breaks the Tarjan-based GC's assumption that unix edge.successor is always alive, which is no longer true once skb is redirected, resulting in use-after-free below. [0]

Moreover, SOCKMAP does not call scm stat del() properly, so unix show fdinfo() could report an incorrect fd count.

sk msg recvmsg() does not support any SCM attributes in the first place.

Let's drop all SCM attributes before passing skb to the SOCKMAP layer.

[0]: BUG: KASAN: slab-use-after-free in unix del edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251) Read of size 8 at addr ffff888125362670 by task kworker/56:1/496

CPU: 56 UID: 0 PID: 496 Comm: kworker/56:1 Not tainted 7.0.0-rc7-00263-gb9d8b856689d #3 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Workqueue: events sk psock backlog Call Trace: dump stack lvl (lib/dump stack.c:122) print report (mm/kasan/report.c:379) kasan report (mm/kasan/report.c:597) unix del edges (net/unix/garbage.c:118 net/unix/garbage.c:181 net/unix/garbage.c:251) unix destroy fpl (net/unix/garbage.c:317) unix destruct scm (./include/net/scm.h:80 ./include/net/scm.h:86 net/unix/af unix.c:1976) sk psock backlog (./include/linux/skbuff.h:?) process scheduled works (kernel/workqueue.c:?) worker thread (kernel/workqueue.c:?) kthread (kernel/kthread.c:438) ret from fork (arch/x86/kernel/process.c:164) ret from fork asm (arch/x86/entry/entry 64.S:258)

Allocated by task 955: kasan save track (mm/kasan/common.c:58 mm/kasan/common.c:78) kasan slab alloc (mm/kasan/common.c:369) kmem cache alloc noprof (mm/slub.c:4539) sk prot alloc (net/core/sock.c:2240) sk alloc (net/core/sock.c:2301) unix create1 (net/unix/af unix.c:1099) unix create (net/unix/af unix.c:1169) sock create (net/socket.c:1606) sys socketpair (net/socket.c:1811) x64 sys socketpair (net/socket.c:1863 net/socket.c:1860 net/socket.c:1860) do syscall 64 (arch/x86/entry/syscall 64.c:?) entry SYSCALL 64 after hwframe (arch/x86/entry/entry 64.S:130)

Freed by task 496: kasan save track (mm/kasan/common.c:58 mm/kasan/common.c:78) kasan save free info (mm/kasan/generic.c:587) kasan slab free (mm/kasan/common.c:287) kmem cache free (mm/slub.c:6165) sk destruct (net/core/sock.c:2282 net/core/sock.c:2384) sk psock destroy (./include/net/sock.h:?) process scheduled works (kernel/workqueue.c:?) worker thread (kernel/workqueue.c:?) kthread (kernel/kthread.c:438) ret from fork (arch/x86/kernel/process.c:164) ret from fork asm (arch/x86/entry/entry 64.S:258)