Description
In the Linux kernel, the following vulnerability has been resolved:

net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind

syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via
pn_socket_autobind():

kernel BUG at net/phonet/socket.c:213!
RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline]
RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421
Call Trace:
sock_sendmsg_nosec+0x112/0x150 net/socket.c:797
__sock_sendmsg net/socket.c:812 [inline]
__sys_sendto+0x402/0x590 net/socket.c:2280
...

pn_socket_autobind() calls pn_socket_bind() with port 0 and, on
-EINVAL, assumes the socket was already bound and asserts that the
port is non-zero:

err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn));
if (err != -EINVAL)
return err;
BUG_ON(!pn_port(pn_sk(sock->sk)->sobject));
return 0; /* socket was already bound */

However pn_socket_bind() also returns -EINVAL when sk->sk_state is not
TCP_CLOSE, even when the socket has never been bound and pn_port() is
still 0. In that case the BUG_ON() fires and panics the kernel from a
user-triggerable path.

Treat the "bind returned -EINVAL but pn_port() is still 0" case as a
regular error and propagate -EINVAL to the caller instead of crashing.
Existing callers already translate a non-zero return from
pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here
only changes behaviour from panic to a normal errno.
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The defect lies in the Linux kernel's phonet networking subsystem, where the pn_socket_autobind() routine incorrectly interprets a successful binding failure as evidence that a socket is already bound. When pn_socket_bind() returns –EINVAL for a socket that has never been bound, the code asserts the port must be non‑zero. The assertion fails, provoking a BUG_ON that crashes the kernel. The vulnerability is exposed through the pn_socket_sendmsg() path, meaning a user‑space process that can create and send data over a phonet socket can trigger the crash. A kernel panic halts all services, producing an immediate denial of service for the entire host.

Affected Systems

Any Linux system whose kernel includes the phonet driver before the fix is applied is affected. The patch removes the faulty BUG_ON, so systems running kernel versions built from commits after the change are immune. All distributions using the affected kernel range—any kernel that has not incorporated the change—must be identified and updated.

Risk and Exploitability

The exploit requires a local process capable of accessing the phonet socket interface; privileged code or a user with appropriate rights can achieve this. Because the attack triggers a full kernel crash, the impact encompasses integrity and availability of the host, but not confidentiality. No CVSS or EPSS score is disclosed; the vulnerability is not listed in CISA's KEV catalog. Nonetheless the clear path to a kernel panic implies a high potential for local denial of service if an attacker can run code that exercises the buggy path.

Generated by OpenCVE AI on June 26, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the patch removing the BUG_ON in pn_socket_autobind
  • If an immediate kernel upgrade is not feasible, disable the phonet network subsystem by blacklisting or unloading the phonet module so the vulnerable code path cannot be reached
  • Continuously monitor system logs (e.g., dmesg, /var/log/kern.log) for BUG_ON failures or core dumps to detect if the issue remains active

Generated by OpenCVE AI on June 26, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-655
CWE-665

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via pn_socket_autobind(): kernel BUG at net/phonet/socket.c:213! RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline] RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: sock_sendmsg_nosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] __sys_sendto+0x402/0x590 net/socket.c:2280 ... pn_socket_autobind() calls pn_socket_bind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero: err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn)); if (err != -EINVAL) return err; BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); return 0; /* socket was already bound */ However pn_socket_bind() also returns -EINVAL when sk->sk_state is not TCP_CLOSE, even when the socket has never been bound and pn_port() is still 0. In that case the BUG_ON() fires and panics the kernel from a user-triggerable path. Treat the "bind returned -EINVAL but pn_port() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.
Title net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:51.470Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53292

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses
  • CWE-655

    Insufficient Psychological Acceptability

  • CWE-665

    Improper Initialization