CVE-2026-53274 Overview
CVE-2026-53274 is a logic flaw in the Linux kernel's Shared Memory Communications (SMC) socket subsystem. The vulnerability resides in the __smc_setsockopt() function, which calls copy_from_sockptr() while holding lock_sock(sk). A local unprivileged user can supply a userfaultfd-monitored memory page or FUSE-backed memory as the optval argument, halting the copy operation indefinitely while the socket lock remains held. Combined with asynchronous tear-down operations such as shutdown(), this exhausts kernel workqueue threads (kworkers) and triggers the hung task watchdog, resulting in a local Denial of Service condition.
Critical Impact
A local unprivileged attacker can stall kernel workqueues and trigger the hung task watchdog by abusing userfaultfd or FUSE-backed memory during an SMC setsockopt() call.
Affected Products
- Linux kernel versions implementing the net/smc subsystem with the vulnerable __smc_setsockopt() logic
- Distributions shipping kernels prior to the upstream fix commits referenced below
- Systems where unprivileged userfaultfd is enabled, or where FUSE-backed memory is accessible to unprivileged users
Discovery Timeline
- 2026-06-25 - CVE-2026-53274 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53274
Vulnerability Analysis
The defect is a sleep-inside-lock pattern in the SMC socket option handler. The kernel function __smc_setsockopt() acquires the socket lock via lock_sock(sk) and then performs a user-space copy using copy_from_sockptr(). The copy_from_sockptr() call can sleep if the source pages are not resident, which is the normal expectation for user copies — but here it is performed under a held socket lock.
An attacker controls a userfaultfd-monitored page (or a FUSE-backed mapping) and passes it as the optval pointer to setsockopt(). The page fault triggered during the copy is intercepted by the attacker's userfaultfd handler, which never resolves the fault. The copy operation blocks indefinitely while still holding the socket lock.
When another path such as smc_shutdown() attempts to acquire the same socket lock, the worker thread blocks on lock_sock_nested+. With repeated invocations, kernel worker threads are progressively consumed, eventually exhausting the workqueue and tripping the hung task watchdog after 120 seconds.
Root Cause
The root cause is the placement of a potentially sleeping user-space memory copy inside a critical section guarded by lock_sock(). The fix moves the copy_from_sockptr() operation outside the lock_sock() region so that page-fault stalls on attacker-controlled memory cannot pin the socket lock.
Attack Vector
Exploitation requires local code execution as an unprivileged user. The attacker registers a userfaultfd region (or maps FUSE-backed memory on systems where unprivileged userfaultfd is disabled) and uses that region as the optval argument when calling setsockopt() on an SMC socket. Repeatedly issuing such calls while triggering asynchronous tear-down operations starves the kernel workqueue. No network access or elevated privileges are required.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in the upstream patch commits listed under the references — see the Linux Kernel Commit 35a221178396 and related stable backports.
Detection Methods for CVE-2026-53274
Indicators of Compromise
- Kernel log entries reporting INFO: task kworker/<id> blocked for more than 120 seconds with stack traces referencing smc_shutdown+ and lock_sock_nested+
- Sustained growth in blocked kernel worker threads correlated with unprivileged process activity
- Unprivileged processes invoking setsockopt() against AF_SMC sockets with userfaultfd or FUSE-backed memory regions
Detection Strategies
- Monitor dmesg and /var/log/kern.log for hung task watchdog messages that include smc_ symbols in the call trace
- Audit syscall telemetry for unprivileged use of userfaultfd() combined with socket(AF_SMC, ...) and setsockopt() sequences
- Track FUSE mount activity by non-root users on systems where vm.unprivileged_userfaultfd is set to 0
Monitoring Recommendations
- Enable kernel auditd rules for userfaultfd, socket, and setsockopt syscalls and forward to a centralized log pipeline
- Alert on repeated hung_task_timeout_secs violations referencing socket lock functions
- Baseline normal workqueue depth and alert on sustained worker thread starvation
How to Mitigate CVE-2026-53274
Immediate Actions Required
- Apply the upstream Linux kernel patches that move copy_from_sockptr() outside the lock_sock() critical section in __smc_setsockopt()
- Update to a distribution kernel that incorporates the referenced stable commits
- Where SMC is not required, blacklist the smc kernel module to remove the attack surface entirely
Patch Information
The upstream fix is distributed across the following stable kernel commits: Linux Kernel Commit 35a221178396, Linux Kernel Commit 5d27d2ffe4, Linux Kernel Commit 89f6fbe0033, Linux Kernel Commit 94d286fa5e, Linux Kernel Commit a3fdd924d8, and Linux Kernel Commit dcd90f42a3. The patch relocates the user-space copy out of the socket lock critical section.
Workarounds
- Disable unprivileged userfaultfd by setting vm.unprivileged_userfaultfd=0 via sysctl to reduce one of the two abuse paths
- Restrict unprivileged FUSE mounts using kernel options or distribution policy modules
- Blacklist the smc module on hosts that do not require SMC connectivity
# Disable unprivileged userfaultfd
echo 'vm.unprivileged_userfaultfd=0' | sudo tee /etc/sysctl.d/99-cve-2026-53274.conf
sudo sysctl --system
# Blacklist the SMC module if SMC is not required
echo 'blacklist smc' | sudo tee /etc/modprobe.d/blacklist-smc.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

