{"id":66575,"date":"2026-06-28T03:28:51","date_gmt":"2026-06-28T03:28:51","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=66575"},"modified":"2026-06-28T03:28:51","modified_gmt":"2026-06-28T03:28:51","slug":"afunix-drop-all-scm-attributes-for-sockmap","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=66575","title":{"rendered":"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005"},"content":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Drop all SCM attributes for SOCKMAP.\\n\\nSOCKMAP can hide inflight fd from AF_UNIX GC.\\n\\nWhen a socket in SOCKMAP receives skb with inflight fd,\\nsk_psock_verdict_data_ready() looks up the mapped socket and\\nenqueue skb to its psock-\\u003eingress_skb.\\n\\nSince neither the old nor the new GC can inspect the psock\\nqueue, the hidden skb leaks the inflight sockets. Note that\\nthis cannot be detected via kmemleak because inflight sockets\\nare linked to a global list.\\n\\nIn addition, SOCKMAP redirect breaks the Tarjan-based GC’s\\nassumption that unix_edge.successor is always alive, which\\nis no longer true once skb is redirected, resulting in\\nuse-after-free below. [0]\\n\\nMoreover, SOCKMAP does not call scm_stat_del() properly,\\nso unix_show_fdinfo() could report an incorrect fd count.\\n\\nsk_msg_recvmsg() does not support any SCM attributes in the\\nfirst place.\\n\\nLet’s drop all SCM attributes before passing skb to the\\nSOCKMAP layer.\\n\\n[0]:\\nBUG: KASAN: slab-use-after-free in unix_del_edges (net\/unix\/garbage.c:118 net\/unix\/garbage.c:181 net\/unix\/garbage.c:251)\\nRead of size 8 at addr ffff888125362670 by task kworker\/56:1\/496\\n\\nCPU: 56 UID: 0 PID: 496 Comm: kworker\/56:1 Not tainted 7.0.0-rc7-00263-gb9d8b856689d #3 PREEMPT(lazy)\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04\/01\/2014\\nWorkqueue: events sk_psock_backlog\\nCall Trace:\\n \\u003cTASK\\u003e\\n dump_stack_lvl (lib\/dump_stack.c:122)\\n print_report (mm\/kasan\/report.c:379)\\n kasan_report (mm\/kasan\/report.c:597)\\n unix_del_edges (net\/unix\/garbage.c:118 net\/unix\/garbage.c:181 net\/unix\/garbage.c:251)\\n unix_destroy_fpl (net\/unix\/garbage.c:317)\\n unix_destruct_scm (.\/include\/net\/scm.h:80 .\/include\/net\/scm.h:86 net\/unix\/af_unix.c:1976)\\n sk_psock_backlog (.\/include\/linux\/skbuff.h:?)\\n process_scheduled_works (kernel\/workqueue.c:?)\\n worker_thread (kernel\/workqueue.c:?)\\n kthread (kernel\/kthread.c:438)\\n ret_from_fork (arch\/x86\/kernel\/process.c:164)\\n ret_from_fork_asm (arch\/x86\/entry\/entry_64.S:258)\\n \\u003c\/TASK\\u003e\\n\\nAllocated by task 955:\\n kasan_save_track (mm\/kasan\/common.c:58 mm\/kasan\/common.c:78)\\n __kasan_slab_alloc (mm\/kasan\/common.c:369)\\n kmem_cache_alloc_noprof (mm\/slub.c:4539)\\n sk_prot_alloc (net\/core\/sock.c:2240)\\n sk_alloc (net\/core\/sock.c:2301)\\n unix_create1 (net\/unix\/af_unix.c:1099)\\n unix_create (net\/unix\/af_unix.c:1169)\\n __sock_create (net\/socket.c:1606)\\n __sys_socketpair (net\/socket.c:1811)\\n __x64_sys_socketpair (net\/socket.c:1863 net\/socket.c:1860 net\/socket.c:1860)\\n do_syscall_64 (arch\/x86\/entry\/syscall_64.c:?)\\n entry_SYSCALL_64_after_hwframe (arch\/x86\/entry\/entry_64.S:130)\\n\\nFreed by task 496:\\n kasan_save_track (mm\/kasan\/common.c:58 mm\/kasan\/common.c:78)\\n kasan_save_free_info (mm\/kasan\/generic.c:587)\\n __kasan_slab_free (mm\/kasan\/common.c:287)\\n kmem_cache_free (mm\/slub.c:6165)\\n __sk_destruct (net\/core\/sock.c:2282 net\/core\/sock.c:2384)\\n sk_psock_destroy (.\/include\/net\/sock.h:?)\\n process_scheduled_works (kernel\/workqueue.c:?)\\n worker_thread (kernel\/workqueue.c:?)\\n kthread (kernel\/kthread.c:438)\\n ret_from_fork (arch\/x86\/kernel\/process.c:164)\\n ret_from_fork_asm (arch\/x86\/entry\/entry_64.S:258)”,”published”:”2026-06-24T16:29:16.901Z”,”modified”:”2026-06-28T06:37:55.507Z”,”type”:”cve”,”title”:”af_unix: Drop all SCM attributes for SOCKMAP.”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/b34a1d83c74a124c968b5adb25c809db3e2eb86a\\nhttps:\/\/git.kernel.org\/stable\/c\/965dc93481d1b80d341bdd16c27b16fe197175ee”,”id”:”CVE-2026-53005″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux c63829182c37c2d6d0608976d15fa61ebebe9e6b\\nLinux Linux c63829182c37c2d6d0608976d15fa61ebebe9e6b\\nLinux Linux 5.15″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”c63829182c37c2d6d0608976d15fa61ebebe9e6b”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Drop all SCM attributes for SOCKMAP.\\n\\nSOCKMAP can hide inflight fd from AF_UNIX GC.\\n\\nWhen a socket…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-66575","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\naf_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=66575\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnaf_unix: Drop all SCM attributes for SOCKMAP.nnSOCKMAP can hide inflight fd from AF_UNIX GC.nnWhen a socket...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=66575\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-28T03:28:51+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005\",\"datePublished\":\"2026-06-28T03:28:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575\"},\"wordCount\":750,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=66575#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575\",\"name\":\"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-28T03:28:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=66575\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66575#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=66575","og_locale":"en_US","og_type":"article","og_title":"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005 - zero redgem","og_description":"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnaf_unix: Drop all SCM attributes for SOCKMAP.nnSOCKMAP can hide inflight fd from AF_UNIX GC.nnWhen a socket...","og_url":"https:\/\/zero.redgem.net\/?p=66575","og_site_name":"zero redgem","article_published_time":"2026-06-28T03:28:51+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=66575#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=66575"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005","datePublished":"2026-06-28T03:28:51+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=66575"},"wordCount":750,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=66575#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=66575","url":"https:\/\/zero.redgem.net\/?p=66575","name":"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-28T03:28:51+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=66575#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=66575"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=66575#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"af_unix: Drop all SCM attributes for SOCKMAP._CVE-2026-53005"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/66575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=66575"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/66575\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=66575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=66575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=66575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}