CVE-2026-53292
Analyzed Analyzed - Analysis Complete

Kernel BUG in Linux Phonet Socket Autobind

Vulnerability report for CVE-2026-53292, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via pn_socket_autobind(): kernel BUG at net/phonet/socket.c:213! RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline] RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: sock_sendmsg_nosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] __sys_sendto+0x402/0x590 net/socket.c:2280 ... pn_socket_autobind() calls pn_socket_bind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero: err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn)); if (err != -EINVAL) return err; BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); return 0; /* socket was already bound */ However pn_socket_bind() also returns -EINVAL when sk->sk_state is not TCP_CLOSE, even when the socket has never been bound and pn_port() is still 0. In that case the BUG_ON() fires and panics the kernel from a user-triggerable path. Treat the "bind returned -EINVAL but pn_port() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-08
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel From 2.6.28 (inc) to 7.0.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's phonet networking code. Specifically, the function pn_socket_autobind() calls pn_socket_bind() with port 0 and expects certain error conditions to indicate that the socket is already bound. However, pn_socket_bind() can return an error (-EINVAL) in other cases where the socket is not bound and the port is still zero. When this happens, pn_socket_autobind() triggers a BUG_ON() assertion, causing the kernel to panic.

The problem is that the kernel panics due to an incorrect assumption about the error code returned by pn_socket_bind(). This panic can be triggered by a user, making it a user-triggerable kernel crash.

The fix changes the code to treat the case where bind returns -EINVAL but the port is still zero as a normal error instead of a kernel panic, preventing the crash.

Detection Guidance

This vulnerability manifests as a kernel BUG triggered in the Linux kernel at net/phonet/socket.c, specifically in the pn_socket_autobind() function. Detection involves monitoring kernel logs for BUG messages related to phonet sockets.

You can check your system logs (e.g., using dmesg or journalctl) for kernel BUG messages mentioning pn_socket_autobind or net/phonet/socket.c.

  • Run: dmesg | grep -i 'pn_socket_autobind'
  • Run: journalctl -k | grep -i 'pn_socket_autobind'
  • Look for kernel panic or BUG_ON messages referencing net/phonet/socket.c or pn_socket_sendmsg.
Impact Analysis

This vulnerability can cause the Linux kernel to panic and crash when a user triggers the specific error condition in the phonet socket binding process. A kernel panic results in a system crash, leading to denial of service (DoS) as the system becomes unavailable until it is rebooted.

Therefore, an attacker or even an unprivileged user could exploit this vulnerability to disrupt system availability by causing a kernel crash.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The vulnerability is fixed by changing the kernel code to avoid BUG_ON() panics in pn_socket_autobind() and instead return a normal error code. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

Until the kernel is updated, avoid triggering the vulnerable code path by restricting or monitoring applications that use phonet sockets, especially those that might call pn_socket_sendmsg or pn_socket_autobind.

  • Apply the latest Linux kernel updates that address this issue.
  • Monitor and restrict usage of phonet sockets if possible.
  • Regularly check kernel logs for signs of the BUG to detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart