CVE Catalog

CVE-2026-53274

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A logic flaw in the Linux kernel's __smc_setsockopt() function allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The issue occurs because copy_from_sockptr() is called while holding lock_sock, which can be exploited via userfaultfd-monitored memory to block execution and exhaust kernel worker threads.

Risk Assessment

The organization faces a local denial of service that can freeze the system or critical SMC-based network services, resulting in downtime and loss of availability.

Recommendation

Apply the Linux kernel patch that moves the user-space copy outside the lock_sock() critical section immediately, and update the system to a kernel version containing this fix.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS