{"id":"CVE-2026-46015","summary":"tcp: call sk_data_ready() after listener migration","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: call sk_data_ready() after listener migration\n\nWhen inet_csk_listen_stop() migrates an established child socket from\na closing listener to another socket in the same SO_REUSEPORT group,\nthe target listener gets a new accept-queue entry via\ninet_csk_reqsk_queue_add(), but that path never notifies the target\nlistener's waiters. A nonblocking accept() still works because it\nchecks the queue directly, but poll()/epoll_wait() waiters and\nblocking accept() callers can also remain asleep indefinitely.\n\nCall READ_ONCE(nsk-\u003esk_data_ready)(nsk) after a successful migration\nin inet_csk_listen_stop().\n\nHowever, after inet_csk_reqsk_queue_add() succeeds, the ref acquired\nin reuseport_migrate_sock() is effectively transferred to\nnreq-\u003ersk_listener. Another CPU can then dequeue nreq via accept()\nor listener shutdown, hit reqsk_put(), and drop that listener ref.\nSince listeners are SOCK_RCU_FREE, wrap the post-queue_add()\ndereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also\ncovers the existing sock_net(nsk) access in that path.\n\nThe reqsk_timer_handler() path does not need the same changes for two\nreasons: half-open requests become readable only after the final ACK,\nwhere tcp_child_process() already wakes the listener; and once nreq is\nvisible via inet_ehash_insert(), the success path no longer touches\nnsk directly.","modified":"2026-06-18T03:56:49.726133356Z","published":"2026-05-27T12:56:17.249Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46015.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/14e9bb6eba8f59dcc637702e4744ae5e30660d76"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7aa7933a5607b1e5b56f322d17265c1d0ea02c51"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46015.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46015"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"54b92e84193749c9968aff2dd46e3b0f42643e18"},{"fixed":"7aa7933a5607b1e5b56f322d17265c1d0ea02c51"},{"fixed":"14e9bb6eba8f59dcc637702e4744ae5e30660d76"},{"fixed":"ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b"},{"fixed":"bebd058ef40c67a81fe6d9ee8beaa4ede90e0704"},{"fixed":"83bb57635d7cbafde32f865b577ecfd969f02337"},{"fixed":"12625b4da84caf4d84a04988710a7b9bcf702b18"},{"fixed":"3864c6ba1e041bc75342353a70fa2a2c6f909923"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46015.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.14.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46015.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}