Impact
A race condition in the Linux kernel's BPF sockmap handling for Unix domain sockets can lead to a use‑after‑free when a BPF iterator updates a sockmap while a socket transitions from TCP_ESTABLISHED to TCP_CLOSE. The bug causes the peer pointer to become stale, corrupting kernel memory and typically resulting in a kernel crash. This flaw is identified as CWE‑825 and manifests as a kernel panic, effectively causing denial of services.
Affected Systems
All Linux kernel releases that lack the commit introducing a state‑lock in unix_stream_bpf_update_proto are affected. Unpatched kernels shipped by any distribution—whether Debian, Ubuntu, RedHat, SUSE, or others—expose all users running those kernel versions to this risk.
Risk and Exploitability
The CVSS score of 7.8 indicates a moderate‑to‑high severity. The EPSS score of < 1 % shows a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be local; a malicious user would need to load a custom BPF program that performs a sockmap update, which normally requires root or elevated privileges. Therefore, the primary risk is to availability, as an attacker could trigger a kernel panic, but the overall exploitation probability remains low under current conditions.
OpenCVE Enrichment
Debian DLA