Description
In the Linux kernel, the following vulnerability has been resolved:

net: do not write to msg_get_inq in callee

NULL pointer dereference fix.

msg_get_inq is an input field from caller to callee. Don't set it in
the callee, as the caller may not clear it on struct reuse.

This is a kernel-internal variant of msghdr only, and the only user
does reinitialize the field. So this is not critical for that reason.
But it is more robust to avoid the write, and slightly simpler code.
And it fixes a bug, see below.

Callers set msg_get_inq to request the input queue length to be
returned in msg_inq. This is equivalent to but independent from the
SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).
To reduce branching in the hot path the second also sets the msg_inq.
That is WAI.

This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for
SO_INQ unless explicitly asked for"), which fixed the inverse.

Also avoid NULL pointer dereference in unix_stream_read_generic if
state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg
can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:
implement splice for stream af_unix sockets").

Also collapse two branches using a bitwise or.
Published: 2026-01-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Null Pointer Dereference leading to kernel crash (Denial of Service).
Action: Patch
AI Analysis

Impact

This vulnerability arises in the Linux kernel's networking stack, where a callee function incorrectly writes to the msg_get_inq member of an msghdr‑like structure. If the caller has not reinitialized that field or if the message structures are reused, a NULL pointer dereference can occur. The bug was introduced by recent commits that changed the handling of UNIX domain socket requests for input queue length. The result is a kernel crash, potentially causing a denial of service for the affected host. Because the flaw is inside kernel code, exploitation could elevate a local process to kernel privilege implicitly, but the primary impact is a denial of service.

Affected Systems

The flaw affects the Linux kernel across all supported releases, including 6.19 rc4 and any kernel that incorporates the relevant commits from commit 4d1442979e4a, 2b514574f7e8, and the following fix commit. The affected code resides in the AF_UNIX socket implementation, specifically in unix_stream_read_generic and related splice paths.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is less than 1 %, implying a very low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog, and there are no publicly documented exploits. The attack would require a local user to interact with the vulnerable socket operations, making it a local denial‑of‑service vector. Because the kernel crash is non‑remote, a patch is the most effective countermeasure.

Generated by OpenCVE AI on April 18, 2026 at 03:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the fix (at least 6.19 rc4 or later).
  • If a kernel update is not yet available, avoid using AF_UNIX splice operations or any code paths that call unix_stream_read_generic with a NULL state->msg; consider recompiling the kernel with that functionality disabled (e.g. CONFIG_AF_UNIX=n).
  • Monitor kernel logs for Oops or panic messages related to AF_UNIX sockets and apply the patch as soon as it is released.

Generated by OpenCVE AI on April 18, 2026 at 03:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or.
Title net: do not write to msg_get_inq in callee
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:33.394Z

Reserved: 2026-01-13T15:37:45.936Z

Link: CVE-2026-22983

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:54.333

Modified: 2026-02-26T18:48:36.020

Link: CVE-2026-22983

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22983 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses