CVE-2026-46015 Overview
CVE-2026-46015 is a Linux kernel TCP networking flaw in the inet_csk_listen_stop() listener migration path. When an established child socket is migrated from a closing listener to another listener in the same SO_REUSEPORT group, the target listener's waiters are not notified. Blocking accept() callers and poll()/epoll_wait() waiters can sleep indefinitely. A secondary issue exists in reference counting: after inet_csk_reqsk_queue_add() succeeds, the listener reference is transferred and another CPU can drop it, leaving subsequent dereferences of nsk unsafe without RCU protection.
Critical Impact
Server applications relying on SO_REUSEPORT listener migration can stall indefinitely, leading to denial-of-service conditions on TCP services that depend on blocking accept loops or epoll-based event notification.
Affected Products
- Linux kernel TCP/IPv4 stack (net/ipv4/inet_connection_sock.c)
- Linux kernel builds using SO_REUSEPORT socket groups
- Stable kernel branches receiving the fix commits referenced in git.kernel.org
Discovery Timeline
- 2026-05-27 - CVE-2026-46015 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46015
Vulnerability Analysis
The flaw resides in the TCP listener migration logic that runs when a listening socket is closed while peer listeners exist in the same SO_REUSEPORT group. The kernel transfers an already-established child socket to a surviving listener through inet_csk_reqsk_queue_add(). This path enqueues the new request onto the target listener's accept queue but omits the wakeup call. Nonblocking accept() callers tolerate the omission because they poll the queue directly. Blocking accept() consumers and poll()/epoll_wait() waiters depend on sk_data_ready() to wake them and therefore remain asleep until another event arrives.
Root Cause
The migration path in inet_csk_listen_stop() invokes inet_csk_reqsk_queue_add() without subsequently calling READ_ONCE(nsk->sk_data_ready)(nsk). A second defect compounds the issue: once inet_csk_reqsk_queue_add() succeeds, the reference acquired by reuseport_migrate_sock() is transferred to nreq->rsk_listener. A concurrent CPU can dequeue nreq via accept() or listener shutdown, call reqsk_put(), and drop the listener reference. Any post-queue-add dereference of nsk without RCU protection becomes a use-after-free candidate, even though listeners are SOCK_RCU_FREE.
Attack Vector
Exploitation requires triggering listener migration within a SO_REUSEPORT group while concurrent accept() or shutdown activity races against the migration. Locally co-resident workloads or attackers controlling traffic patterns to a multi-listener TCP service can induce repeated migrations to stall accept queues. The fix wraps the post-queue_add dereferences of nsk in rcu_read_lock()/rcu_read_unlock() and explicitly calls sk_data_ready() on the target listener after a successful migration. The reqsk_timer_handler() path is unaffected because half-open requests become readable only after the final ACK where tcp_child_process() already wakes the listener.
No public exploit code is associated with this issue. See the kernel commit references for the upstream fix.
Detection Methods for CVE-2026-46015
Indicators of Compromise
- TCP server processes accumulating in uninterruptible or interruptible sleep on inet_csk_accept despite pending connections in the accept queue.
- ss -lnt showing nonzero Recv-Q on listening sockets while the owning process remains blocked.
- Unexpected hangs in services using SO_REUSEPORT worker pools after listener restarts or rolling reloads.
Detection Strategies
- Inventory running kernels against the fixed stable commits (12625b4da84c, 3864c6ba1e04, 83bb57635d7c, ab5fdcd53564, bebd058ef40c) using configuration management tooling.
- Audit applications for SO_REUSEPORT usage combined with blocking accept() or epoll_wait() loops, which are the conditions required to observe the hang.
- Correlate kernel uname -r output with distribution advisories to identify hosts still running pre-patch builds.
Monitoring Recommendations
- Alert on TCP listeners with sustained nonzero accept-queue depth combined with idle owning processes.
- Track per-process scheduler wait states for long-lived accept() callers on production network services.
- Monitor for repeated listener restart cycles in load balancers and reverse proxies that rely on SO_REUSEPORT socket groups.
How to Mitigate CVE-2026-46015
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits to all affected hosts.
- Identify production workloads that use SO_REUSEPORT listener pools and prioritize them for kernel updates.
- Restart long-running services after patching to ensure no processes remain blocked on the pre-patch accept path.
Patch Information
The fix is committed across multiple Linux stable branches. Reference commits: 12625b4da84c, 3864c6ba1e04, 83bb57635d7c, ab5fdcd53564, and bebd058ef40c. The patch adds the missing sk_data_ready() invocation and wraps post-migration nsk dereferences in an RCU read-side critical section.
Workarounds
- Where patching is not yet possible, avoid relying on listener migration by performing graceful drain of SO_REUSEPORT groups before shutting down a listener.
- Use nonblocking accept() with a short timeout fallback to bypass the missed-wakeup path in vulnerable kernels.
- Stagger listener restarts so that migrations do not coincide with active accept() or epoll_wait() callers in peer listeners.
# Verify kernel version against fixed stable commits
uname -r
# Identify processes blocked on accept while queues are non-empty
ss -lntp
for pid in $(pgrep -f your_service); do
awk '/State|wchan/' /proc/$pid/status
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
