CVE-2026-53292
Received Received - Intake
Kernel BUG in Linux Phonet Socket Autobind

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via pn_socket_autobind(): kernel BUG at net/phonet/socket.c:213! RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline] RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: sock_sendmsg_nosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] __sys_sendto+0x402/0x590 net/socket.c:2280 ... pn_socket_autobind() calls pn_socket_bind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero: err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn)); if (err != -EINVAL) return err; BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); return 0; /* socket was already bound */ However pn_socket_bind() also returns -EINVAL when sk->sk_state is not TCP_CLOSE, even when the socket has never been bound and pn_port() is still 0. In that case the BUG_ON() fires and panics the kernel from a user-triggerable path. Treat the "bind returned -EINVAL but pn_port() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53292
EUVD
EUVD-2026-39897
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's phonet networking code. Specifically, the function pn_socket_autobind() calls pn_socket_bind() with port 0 and expects certain error conditions to indicate that the socket is already bound. However, pn_socket_bind() can return an error (-EINVAL) in other cases where the socket is not bound and the port is still zero. When this happens, pn_socket_autobind() triggers a BUG_ON() assertion, causing the kernel to panic.

The problem is that the kernel panics due to an incorrect assumption about the error code returned by pn_socket_bind(). This panic can be triggered by a user, making it a user-triggerable kernel crash.

The fix changes the code to treat the case where bind returns -EINVAL but the port is still zero as a normal error instead of a kernel panic, preventing the crash.

Impact Analysis

This vulnerability can cause the Linux kernel to panic and crash when a user triggers the specific error condition in the phonet socket binding process. A kernel panic results in a system crash, leading to denial of service (DoS) as the system becomes unavailable until it is rebooted.

Therefore, an attacker or even an unprivileged user could exploit this vulnerability to disrupt system availability by causing a kernel crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart