Description
In the Linux kernel, the following vulnerability has been resolved:

tcp: call sk_data_ready() after listener migration

When inet_csk_listen_stop() migrates an established child socket from
a closing listener to another socket in the same SO_REUSEPORT group,
the target listener gets a new accept-queue entry via
inet_csk_reqsk_queue_add(), but that path never notifies the target
listener's waiters. A nonblocking accept() still works because it
checks the queue directly, but poll()/epoll_wait() waiters and
blocking accept() callers can also remain asleep indefinitely.

Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration
in inet_csk_listen_stop().

However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired
in reuseport_migrate_sock() is effectively transferred to
nreq->rsk_listener. Another CPU can then dequeue nreq via accept()
or listener shutdown, hit reqsk_put(), and drop that listener ref.
Since listeners are SOCK_RCU_FREE, wrap the post-queue_add()
dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also
covers the existing sock_net(nsk) access in that path.

The reqsk_timer_handler() path does not need the same changes for two
reasons: half-open requests become readable only after the final ACK,
where tcp_child_process() already wakes the listener; and once nreq is
visible via inet_ehash_insert(), the success path no longer touches
nsk directly.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a listener socket that has been migrated within a SO_REUSEPORT group to fail to notify waiters on the target listener after migration. When this occurs, poll or epoll waiters and blocking accept callers can hang indefinitely, blocking services that rely on socket acceptance. This missing notification is a race condition in the kernel's TCP listener migration code, making the affected systems vulnerable to service disruption. The weakness conforms to "CWE‑821: Improper Synchronization".

Affected Systems

All installations of the Linux kernel that ship the TCP SO_REUSEPORT listener migration code are affected. Because no specific kernel version is enumerated in the data, every vendor or distribution that uses the stock Linux kernel before the patch is impacted. Users should verify whether their kernel version incorporates the corresponding commit referenced in the advisory and upgrade if it does not.

Risk and Exploitability

The vulnerability carries no KEV designation and its EPSS score is less than 1%, indicating a very low probability of exploitation by known attacks at this time. The threat is still significant because any process with kernel access can create listening sockets with SO_REUSEPORT and trigger the migration race, causing a service that performs accept operations to stall. The impact is confinement to a local or potentially remote process that can reach the listening sockets, so while the attack vector is inferred as local or remote service interaction, that inference is based on the nature of the bug rather than explicit documentation. The CVSS score is 7.8, indicating a high severity impact, so it is prudent to treat the exploit likelihood as low in environments that expose services to untrusted input.

Generated by OpenCVE AI on May 30, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for the TCP listener migration bug.
  • If immediate kernel upgrades are not possible, disable or remove the SO_REUSEPORT socket option from applications that do not need it, thereby preventing listener migration from occurring.
  • Introduce a watchdog or timeout logic in applications that perform accept operations to recover from the possibility of an indefinitely blocked accept call.
  • Move critical services to a more recent kernel version or employ kernel hardening options such as grsecurity or SELinux to limit the ability of local processes to create sockets with administrative privileges.

Generated by OpenCVE AI on May 30, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tcp: call sk_data_ready() after listener migration When inet_csk_listen_stop() migrates an established child socket from a closing listener to another socket in the same SO_REUSEPORT group, the target listener gets a new accept-queue entry via inet_csk_reqsk_queue_add(), but that path never notifies the target listener's waiters. A nonblocking accept() still works because it checks the queue directly, but poll()/epoll_wait() waiters and blocking accept() callers can also remain asleep indefinitely. Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration in inet_csk_listen_stop(). However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired in reuseport_migrate_sock() is effectively transferred to nreq->rsk_listener. Another CPU can then dequeue nreq via accept() or listener shutdown, hit reqsk_put(), and drop that listener ref. Since listeners are SOCK_RCU_FREE, wrap the post-queue_add() dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also covers the existing sock_net(nsk) access in that path. The reqsk_timer_handler() path does not need the same changes for two reasons: half-open requests become readable only after the final ACK, where tcp_child_process() already wakes the listener; and once nreq is visible via inet_ehash_insert(), the success path no longer touches nsk directly.
Title tcp: call sk_data_ready() after listener migration
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:06.517Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46015

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:19.840

Modified: 2026-06-16T15:24:03.980

Link: CVE-2026-46015

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:45:23Z

Weaknesses