{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "54b92e84193749c9968aff2dd46e3b0f42643e18"
            },
            {
              "fixed": "7aa7933a5607b1e5b56f322d17265c1d0ea02c51"
            },
            {
              "fixed": "14e9bb6eba8f59dcc637702e4744ae5e30660d76"
            },
            {
              "fixed": "ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b"
            },
            {
              "fixed": "bebd058ef40c67a81fe6d9ee8beaa4ede90e0704"
            },
            {
              "fixed": "83bb57635d7cbafde32f865b577ecfd969f02337"
            },
            {
              "fixed": "12625b4da84caf4d84a04988710a7b9bcf702b18"
            },
            {
              "fixed": "3864c6ba1e041bc75342353a70fa2a2c6f909923"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.14.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.86"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.27"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46015.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: call sk_data_ready() after listener migration\n\nWhen inet_csk_listen_stop() migrates an established child socket from\na closing listener to another socket in the same SO_REUSEPORT group,\nthe target listener gets a new accept-queue entry via\ninet_csk_reqsk_queue_add(), but that path never notifies the target\nlistener's waiters. A nonblocking accept() still works because it\nchecks the queue directly, but poll()/epoll_wait() waiters and\nblocking accept() callers can also remain asleep indefinitely.\n\nCall READ_ONCE(nsk-\u003esk_data_ready)(nsk) after a successful migration\nin inet_csk_listen_stop().\n\nHowever, after inet_csk_reqsk_queue_add() succeeds, the ref acquired\nin reuseport_migrate_sock() is effectively transferred to\nnreq-\u003ersk_listener. Another CPU can then dequeue nreq via accept()\nor listener shutdown, hit reqsk_put(), and drop that listener ref.\nSince listeners are SOCK_RCU_FREE, wrap the post-queue_add()\ndereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also\ncovers the existing sock_net(nsk) access in that path.\n\nThe reqsk_timer_handler() path does not need the same changes for two\nreasons: half-open requests become readable only after the final ACK,\nwhere tcp_child_process() already wakes the listener; and once nreq is\nvisible via inet_ehash_insert(), the success path no longer touches\nnsk directly.",
  "id": "CVE-2026-46015",
  "modified": "2026-07-08T05:38:29.845844231Z",
  "published": "2026-05-27T12:56:17.249Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14e9bb6eba8f59dcc637702e4744ae5e30660d76"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7aa7933a5607b1e5b56f322d17265c1d0ea02c51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46015.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46015"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tcp: call sk_data_ready() after listener migration"
}