{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46015","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.092Z","datePublished":"2026-05-27T12:56:17.249Z","dateUpdated":"2026-06-14T17:48:06.517Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:48:06.517Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: call sk_data_ready() after listener migration\n\nWhen inet_csk_listen_stop() migrates an established child socket from\na closing listener to another socket in the same SO_REUSEPORT group,\nthe target listener gets a new accept-queue entry via\ninet_csk_reqsk_queue_add(), but that path never notifies the target\nlistener's waiters. A nonblocking accept() still works because it\nchecks the queue directly, but poll()/epoll_wait() waiters and\nblocking accept() callers can also remain asleep indefinitely.\n\nCall READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration\nin inet_csk_listen_stop().\n\nHowever, after inet_csk_reqsk_queue_add() succeeds, the ref acquired\nin reuseport_migrate_sock() is effectively transferred to\nnreq->rsk_listener. Another CPU can then dequeue nreq via accept()\nor listener shutdown, hit reqsk_put(), and drop that listener ref.\nSince listeners are SOCK_RCU_FREE, wrap the post-queue_add()\ndereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also\ncovers the existing sock_net(nsk) access in that path.\n\nThe reqsk_timer_handler() path does not need the same changes for two\nreasons: half-open requests become readable only after the final ACK,\nwhere tcp_child_process() already wakes the listener; and once nreq is\nvisible via inet_ehash_insert(), the success path no longer touches\nnsk directly."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/inet_connection_sock.c"],"versions":[{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"7aa7933a5607b1e5b56f322d17265c1d0ea02c51","status":"affected","versionType":"git"},{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"14e9bb6eba8f59dcc637702e4744ae5e30660d76","status":"affected","versionType":"git"},{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b","status":"affected","versionType":"git"},{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"bebd058ef40c67a81fe6d9ee8beaa4ede90e0704","status":"affected","versionType":"git"},{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"83bb57635d7cbafde32f865b577ecfd969f02337","status":"affected","versionType":"git"},{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"12625b4da84caf4d84a04988710a7b9bcf702b18","status":"affected","versionType":"git"},{"version":"54b92e84193749c9968aff2dd46e3b0f42643e18","lessThan":"3864c6ba1e041bc75342353a70fa2a2c6f909923","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/inet_connection_sock.c"],"versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.18.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7aa7933a5607b1e5b56f322d17265c1d0ea02c51"},{"url":"https://git.kernel.org/stable/c/14e9bb6eba8f59dcc637702e4744ae5e30660d76"},{"url":"https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b"},{"url":"https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704"},{"url":"https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337"},{"url":"https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18"},{"url":"https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923"}],"title":"tcp: call sk_data_ready() after listener migration","x_generator":{"engine":"bippy-1.2.0"}}}}