Impact
A logic flaw in the Linux kernel’s network SMC implementation allows an unprivileged local user to cause a denial of service by holding a socket lock for an indefinite period. The bug resides in the __smc_setsockopt() function, which performs a user‑space copy while holding the socket lock. By providing a userfaultfd‑monitored or FUSE‑backed memory page as the option value, an attacker can suspend the copy operation, keeping the lock held and stalling kernel workqueue tasks. When combined with operations such as shutdown(), the kernel’s hung task watchdog is triggered and system responsiveness is severely degraded.
Affected Systems
All Linux kernel releases prior to the inclusion of the patch that moves the user‑space copy outside the lock_sock() critical section. The affected code path is __smc_setsockopt() in net/smc. The commit series referenced in the advisory (e.g., 35a22117839602bb52283de08894c5a7dde92420) introduces the fix, so systems running kernel versions before this commit are vulnerable.
Risk and Exploitability
This vulnerability is exploitable locally by any unprivileged user with the ability to create an SMC socket and supply a specially crafted option payload. The attack vector is local. The EPSS score is 0.00181 (less than 1%), and the CVE is not listed in the CISA KEV catalog, indicating no known public exploits at the time of analysis. However, because the flaw leads to a kernel deadlock that activates the hung task watchdog, it can interrupt all kernel threads, effectively shutting down the system until reboot or a manual kernel reset. The lack of an exploit score does not diminish the inherent risk of a local user causing prolonged service outages.
OpenCVE Enrichment
Debian DLA