Description
In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.

The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.

Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.

[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[ 240.123489] Call Trace:
[ 240.123501] smc_shutdown+...
[ 240.123512] lock_sock_nested+...

This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in the Linux kernel’s network SMC implementation allows an unprivileged local user to cause a denial of service by holding a socket lock for an indefinite period. The bug resides in the __smc_setsockopt() function, which performs a user‑space copy while holding the socket lock. By providing a userfaultfd‑monitored or FUSE‑backed memory page as the option value, an attacker can suspend the copy operation, keeping the lock held and stalling kernel workqueue tasks. When combined with operations such as shutdown(), the kernel’s hung task watchdog is triggered and system responsiveness is severely degraded.

Affected Systems

All Linux kernel releases prior to the inclusion of the patch that moves the user‑space copy outside the lock_sock() critical section. The affected code path is __smc_setsockopt() in net/smc. The commit series referenced in the advisory (e.g., 35a22117839602bb52283de08894c5a7dde92420) introduces the fix, so systems running kernel versions before this commit are vulnerable.

Risk and Exploitability

This vulnerability is exploitable locally by any unprivileged user with the ability to create an SMC socket and supply a specially crafted option payload. The attack vector is local. The EPSS score is 0.00181 (less than 1%), and the CVE is not listed in the CISA KEV catalog, indicating no known public exploits at the time of analysis. However, because the flaw leads to a kernel deadlock that activates the hung task watchdog, it can interrupt all kernel threads, effectively shutting down the system until reboot or a manual kernel reset. The lack of an exploit score does not diminish the inherent risk of a local user causing prolonged service outages.

Generated by OpenCVE AI on June 26, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch moving the user-space copy outside the lock_sock() critical section.
  • If upgrading immediately is not feasible, limit unprivileged access to userfaultfd or FUSE-backed memory by applying SELinux or AppArmor policies that deny the use of these mechanisms for non‑privileged processes.
  • After applying a fix or restriction, reboot the system to ensure the kernel lock handling returns to normal operation and monitor kernel logs for any kworker block messages.

Generated by OpenCVE AI on June 26, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue.
Title net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:58.478Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53274

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53274 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:30:17Z

Weaknesses
  • CWE-821

    Incorrect Synchronization