Skip to main content

Linux Kernel CVE-2026-46015

| EUVDEUVD-2026-32396 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xg26-4rww-5g68
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:36 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tcp: call sk_data_ready() after listener migration

When inet_csk_listen_stop() migrates an established child socket from a closing listener to another socket in the same SO_REUSEPORT group, the target listener gets a new accept-queue entry via inet_csk_reqsk_queue_add(), but that path never notifies the target listener's waiters. A nonblocking accept() still works because it checks the queue directly, but poll()/epoll_wait() waiters and blocking accept() callers can also remain asleep indefinitely.

Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration in inet_csk_listen_stop().

However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired in reuseport_migrate_sock() is effectively transferred to nreq->rsk_listener. Another CPU can then dequeue nreq via accept() or listener shutdown, hit reqsk_put(), and drop that listener ref. Since listeners are SOCK_RCU_FREE, wrap the post-queue_add() dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also covers the existing sock_net(nsk) access in that path.

The reqsk_timer_handler() path does not need the same changes for two reasons: half-open requests become readable only after the final ACK, where tcp_child_process() already wakes the listener; and once nreq is visible via inet_ehash_insert(), the success path no longer touches nsk directly.

AnalysisAI

Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Technical ContextAI

The flaw lives in net/ipv4/inet_connection_sock.c in the SO_REUSEPORT listener-migration logic. When inet_csk_listen_stop() shuts down a listener and migrates an established child socket to a sibling listener in the same reuseport group, inet_csk_reqsk_queue_add() places the child on the target's accept queue but never invokes sk_data_ready() on the target. As a result, blocking accept() callers and poll()/epoll_wait() waiters on the target listener never wake up. Additionally, the listener reference taken by reuseport_migrate_sock() is transferred to nreq->rsk_listener once queued, so another CPU racing through accept() or listener shutdown can call reqsk_put() and free the listener while the migrating path still dereferences it; because listener sockets are SOCK_RCU_FREE, only an RCU read-side critical section makes those post-queue dereferences safe. The fix adds the missing sk_data_ready() call and wraps post-queue_add nsk accesses (including sock_net(nsk)) in rcu_read_lock()/rcu_read_unlock().

RemediationAI

Vendor-released patches: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or newer in each series) using the upstream commits at https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704, https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18, https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923, https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337, and https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b. For distribution kernels, install the vendor-shipped kernel update that backports these commits and reboot. As an interim compensating control where patching is not yet possible, avoid SO_REUSEPORT-based listener migration in production services (do not bind multiple listeners with SO_REUSEPORT on the same port for graceful-restart workflows), and restrict who can run arbitrary network-service code on the host so that local low-privileged users cannot induce the race; both measures reduce risk but also remove the graceful-handoff capability that reuseport migration provides.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy