CVE-2026-53274
Received Received - Intake
Linux Kernel Local Denial of Service in SMC Socket

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53274
EUVD
EUVD-2026-39225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's net/smc component, specifically in the __smc_setsockopt() function. A logic flaw allows a local unprivileged user to cause a Denial of Service (DoS) by holding a socket lock indefinitely.

The issue arises because __smc_setsockopt() calls copy_from_sockptr() while holding the lock_sock(sk) lock. An attacker can pass a userfaultfd-monitored memory page or FUSE-backed memory as the optval, which halts execution during the copy operation and keeps the lock held.

This lock being held indefinitely, combined with asynchronous tear-down operations like shutdown(), exhausts the kernel workqueue (kworkers) and triggers the hung task watchdog, effectively causing a local Denial of Service.

The vulnerability was fixed by moving the user-space copy operation outside the lock_sock() critical section.

Impact Analysis

This vulnerability can impact you by allowing a local unprivileged user to cause a Denial of Service (DoS) on the affected Linux system.

By exploiting the flaw, an attacker can hold a socket lock indefinitely, which leads to exhaustion of kernel worker threads and triggers the hung task watchdog. This results in system instability or unresponsiveness.

Such a DoS condition can disrupt normal operations, potentially affecting availability of services running on the system.

Detection Guidance

This vulnerability can be detected by observing kernel logs for signs of blocked kernel worker tasks and hung task watchdog triggers related to the smc_shutdown and lock_sock functions.

  • Check kernel logs for messages like: "task kworker/u8:2 blocked for more than 120 seconds."
  • Look for call traces involving smc_shutdown and lock_sock_nested in dmesg or /var/log/kern.log.
  • Use the command: dmesg | grep -i 'kworker.*blocked' to find blocked worker threads.
  • Monitor hung task watchdog messages with: dmesg | grep -i 'hung task watchdog'.
Mitigation Strategies

The immediate mitigation is to apply the patch that moves the user-space copy operation outside the lock_sock() critical section in the __smc_setsockopt() function.

Until the patch is applied, restrict unprivileged users from using the SMC socket options or disable unprivileged userfaultfd usage to reduce the attack surface.

Monitor kernel logs for symptoms of the vulnerability and restart affected services or the system if hung tasks are detected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart