In the Linux kernel, the SELinux socket state is stored in a composite LSM socket blob. Functions sock_has_perm() and nlmsg_sock_has_extended_perms() directly dereference sk->sk_security, incorrectly assuming that the SELinux socket blob starts at offset zero. When another LSM allocates socket blob space before SELinux, this assumption fails and the helpers read an incorrect blob, feeding wrong SID and class values to AVC checks. This misreading can cause SELinux to make incorrect access decisions, potentially allowing an attacker to gain unauthorized privileges.

Affected systems include the Linux kernel on any platform that runs SELinux together with at least one additional LSM in a stacked configuration. No specific kernel version range is supplied in the CVE data, so the flaw may be present in any kernel release prior to the fix. The reported commits provide the remedy, but it applies only to configurations where multiple LSMs coexist.

The CVSS score is not provided and EPSS is not available, so the precise severity is unknown. The flaw is not listed in CISA’s KEV catalog. The likely attack vector requires that an attacker be able to influence the order of LSM socket blob allocation, which suggests a local or privileged context. Because the bug can cause incorrect AVC decisions that may elevate privileges, the overall risk is considered high for systems running SELinux with additional LSM modules. Prompt patching is advised.