Impact
The Linux kernel’s AF_UNIX implementation mishandles SCM attributes when a socket configured for SOCKMAP receives a sk_buff that carries an inflight file descriptor. The garbage‑collector for UNIX sockets cannot inspect the socket queue in this scenario, allowing the sk_buff to retain a reference to a freed socket. This results in a use‑after‑free that corrupts kernel memory, giving an attacker the opportunity to execute arbitrary code, crash the system, or gain elevated privileges. The problem was fixed by dropping all SCM attributes before the sk_buff is processed by the SOCKMAP layer.
Affected Systems
Any installation of the Linux kernel that does not contain the commit removing SCM attributes from SOCKMAP handling is vulnerable, particularly when SOCKMAP is enabled for AF_UNIX sockets. The issue is vendor‑agnostic and affects all builds lacking the patch.
Risk and Exploitability
The flaw is a classic use‑after‑free in kernel space, implying high severity. The flaw has a CVSS score of 7.8, an EPSS score of < 1%, and is not listed in the CISA KEV catalog. The attack likely requires an attacker to craft a socket containing SCM attributes and send it to a SOCKMAP socket, which suggests a local or privileged‑level or compromised network‑stack vector. While the risk remains theoretical due to the lack of observed exploits, unpatched kernels are susceptible to kernel memory corruption, privilege escalation, or denial‑of‑service.
OpenCVE Enrichment