Description
In the Linux kernel, the following vulnerability has been resolved:

net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind

syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via
pn_socket_autobind():

kernel BUG at net/phonet/socket.c:213!
RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline]
RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421
Call Trace:
sock_sendmsg_nosec+0x112/0x150 net/socket.c:797
__sock_sendmsg net/socket.c:812 [inline]
__sys_sendto+0x402/0x590 net/socket.c:2280
...

pn_socket_autobind() calls pn_socket_bind() with port 0 and, on
-EINVAL, assumes the socket was already bound and asserts that the
port is non-zero:

err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn));
if (err != -EINVAL)
return err;
BUG_ON(!pn_port(pn_sk(sock->sk)->sobject));
return 0; /* socket was already bound */

However pn_socket_bind() also returns -EINVAL when sk->sk_state is not
TCP_CLOSE, even when the socket has never been bound and pn_port() is
still 0. In that case the BUG_ON() fires and panics the kernel from a
user-triggerable path.

Treat the "bind returned -EINVAL but pn_port() is still 0" case as a
regular error and propagate -EINVAL to the caller instead of crashing.
Existing callers already translate a non-zero return from
pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here
only changes behaviour from panic to a normal errno.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An assertion in the Linux kernel's phonet networking driver causes a BUG_ON when the pn_socket_autobind() routine mistakenly interprets a failed bind as evidence that a socket has already been bound. When pn_socket_bind() returns –EINVAL for an unbound socket, pn_socket_autobind() fires the BUG_ON, leading to a kernel panic. The panic halts all system services, resulting in a denial of service for the affected host.

Affected Systems

Linux kernels that include the phonet driver and have not incorporated the commit that removed the BUG_ON are affected. All distributions running such kernels must identify whether their kernel version contains the fix. The patch is included in kernel releases following the change, so updating to a kernel that includes the commit resolves the issue. No specific version is listed in the data, so affected releases span all kernels prior to the fix.

Risk and Exploitability

The bug can be triggered by a user‑space process that creates a phonet socket and performs a sendmsg operation; the path is explicitly documented as user‑triggerable. The likely attack vector is a local process able to execute code in user mode, which could provoke a kernel panic and cause availability loss. The CVSS score is 5.5, the EPSS score is less than 1%, and the vulnerability is not listed in KEV; however the direct crash path indicates a high likelihood of denial of service if the attacker can reach the vulnerable code.

Generated by OpenCVE AI on June 29, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit removing the BUG_ON in pn_socket_autobind()
  • If a kernel upgrade cannot be performed immediately, disable the phonet network subsystem by blacklisting or unloading the phonet module so that the vulnerable code path is inaccessible
  • Continuously monitor kernel logs (e.g., dmesg, /var/log/kern.log) for BUG_ON occurrences or core dumps to detect whether the issue persists or an attack has been attempted

Generated by OpenCVE AI on June 29, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-655
CWE-665

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-253
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Fri, 26 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-655
CWE-665

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via pn_socket_autobind(): kernel BUG at net/phonet/socket.c:213! RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline] RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: sock_sendmsg_nosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] __sys_sendto+0x402/0x590 net/socket.c:2280 ... pn_socket_autobind() calls pn_socket_bind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero: err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn)); if (err != -EINVAL) return err; BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); return 0; /* socket was already bound */ However pn_socket_bind() also returns -EINVAL when sk->sk_state is not TCP_CLOSE, even when the socket has never been bound and pn_port() is still 0. In that case the BUG_ON() fires and panics the kernel from a user-triggerable path. Treat the "bind returned -EINVAL but pn_port() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.
Title net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:51.470Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53292

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:00:05Z

Weaknesses
  • CWE-253

    Incorrect Check of Function Return Value