CVE-2024-26923 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2024:7001	2024-09-24T00:00:00Z
kernel-0:4.18.0-553.22.1.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:7000	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
kernel-0:4.18.0-372.125.1.el8_6	cpe:/o:redhat:rhel_aus:8.6	RHSA-2024:7486	2024-10-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
kernel-0:4.18.0-372.125.1.el8_6	cpe:/o:redhat:rhel_tus:8.6	RHSA-2024:7486	2024-10-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
kernel-0:4.18.0-372.125.1.el8_6	cpe:/o:redhat:rhel_e4s:8.6	RHSA-2024:7486	2024-10-02T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
kernel-0:4.18.0-477.74.1.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHSA-2024:6993	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-427.42.1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:8617	2024-10-30T00:00:00Z
kernel-0:5.14.0-427.42.1.el9_4	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:8617	2024-10-30T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.75.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:4823	2024-07-24T00:00:00Z
kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2024:4831	2024-07-24T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3
https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f
https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51
https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9
https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423
https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c
https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009
https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
https://lore.kernel.org/linux-cve-announce/2024042418-CVE-2024-26923-f7f6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26923
https://www.cve.org/CVERecord?id=CVE-2024-26923

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00076}`	epss `{'score': 0.00078}`

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Tue, 05 Nov 2024 10:45:00 +0000

Type	Values Removed	Values Added
References	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Wed, 30 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9

Wed, 02 Oct 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus

Tue, 24 Sep 2024 11:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:rhel_eus:8.8

Tue, 24 Sep 2024 06:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8::nfv
Vendors & Products		Redhat enterprise Linux

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-24T21:49:22.001Z

Updated: 2025-05-04T08:59:47.874Z

Reserved: 2024-02-19T14:20:24.194Z

Link: CVE-2024-26923

Vulnrichment

Updated: 2024-08-02T00:21:05.612Z

NVD

Status : Awaiting Analysis

Published: 2024-04-25T06:15:57.160

Modified: 2024-11-21T09:03:23.543

Link: CVE-2024-26923

Redhat

Severity : Moderate

Publid Date: 2024-04-24T00:00:00Z

Links: CVE-2024-26923 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26923", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.194Z", "datePublished": "2024-04-24T21:49:22.001Z", "dateUpdated": "2025-05-04T08:59:47.874Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:59:47.874Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/unix/garbage.c"], "versions": [{"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "a36ae0ec2353015f0f6762e59f4c2dbc0c906423", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "343c5372d5e17b306db5f8f3c895539b06e3177f", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "2e2a03787f4f0abc0072350654ab0ef3324d9db3", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "e76c2678228f6aec74b305ae30c9374cc2f28a51", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "b75722be422c276b699200de90527d01c602ea7c", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "507cc232ffe53a352847893f8177d276c3b532a9", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "dbdf7bec5c920200077d693193f989cb1513f009", "status": "affected", "versionType": "git"}, {"version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "47d8ac011fe1c9251070e1bd64cb10b48193ec51", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/unix/garbage.c"], "versions": [{"version": "2.6.23", "status": "affected"}, {"version": "0", "lessThan": "2.6.23", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.314", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.275", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.216", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.156", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.87", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.28", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.7", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "4.19.314"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.4.275"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.10.216"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.15.156"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.1.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.6.28"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.8.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"}, {"url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"}, {"url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"}, {"url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"}, {"url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"}, {"url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"}, {"url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"}, {"url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"}], "title": "af_unix: Fix garbage collector racing against connect()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-26923"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T19:34:43.753Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.612Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.612Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T17:09:18.824729Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T17:09:23.986Z"}}], "cna": {"title": "af_unix: Fix garbage collector racing against connect()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "a36ae0ec2353015f0f6762e59f4c2dbc0c906423", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "343c5372d5e17b306db5f8f3c895539b06e3177f", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "2e2a03787f4f0abc0072350654ab0ef3324d9db3", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "e76c2678228f6aec74b305ae30c9374cc2f28a51", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "b75722be422c276b699200de90527d01c602ea7c", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "507cc232ffe53a352847893f8177d276c3b532a9", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "dbdf7bec5c920200077d693193f989cb1513f009", "versionType": "git"}, {"status": "affected", "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "47d8ac011fe1c9251070e1bd64cb10b48193ec51", "versionType": "git"}], "programFiles": ["net/unix/garbage.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.23"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.23", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.314", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.275", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.216", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.156", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.87", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.28", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.7", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/unix/garbage.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"}, {"url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"}, {"url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"}, {"url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"}, {"url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"}, {"url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"}, {"url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"}, {"url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.314", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.275", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.216", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.156", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.87", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.28", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.7", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "2.6.23"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:59:47.874Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26923", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:59:47.874Z", "dateReserved": "2024-02-19T14:20:24.194Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-24T21:49:22.001Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: af_unix: corrige la ejecuci\u00f3n del recolector de basura contra connect() El recolector de basura no tiene en cuenta el riesgo de que el embri\u00f3n quede en cola durante la recolecci\u00f3n de basura. Si dicho embri\u00f3n tiene un par que porta SCM_RIGHTS, dos pases consecutivos de scan_children() pueden ver un conjunto diferente de ni\u00f1os. Lo que lleva a un recuento en vuelo elevado incorrectamente y luego a un puntero colgante dentro de gc_inflight_list. los sockets son AF_UNIX/SOCK_STREAM S es un socket no conectado L es un socket de escucha en vuelo vinculado a addr, no en fdtable El fd de V se pasar\u00e1 a trav\u00e9s de sendmsg(), se aumenta el recuento en vuelo connect(S, addr) sendmsg(S, [ V]); cerrar(V) __unix_gc() ---------- ------------------------- -- --------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 en vuelo=0 NS = unix_peer(S ) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V se convirti\u00f3 en vuelo // V recuento=2 en vuelo=1 close(V) // V recuento=1 en vuelo=1 // Condici\u00f3n candidata de GC cumplida para u en gc_inflight_list: if (total_refs == inflight_refs) agregue u a gc_candidates // gc_candidates={L, V} para u en gc_candidates: scan_children(u, dec_inflight) // el embri\u00f3n (skb1) a\u00fan no era // accesible desde L , por lo que V's // en vuelo permanece sin cambios __skb_queue_tail(L, skb1) unix_state_unlock(L) para u en gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) Si hay un socket de escucha candidato a GC, bloquear/desbloquear su estado. Esto hace que GC espere hasta el final de cualquier conexi\u00f3n () en curso a ese socket. Despu\u00e9s de girar la cerradura, un embri\u00f3n posiblemente cargado de SCM ya est\u00e1 en cola. Y si viene otro embri\u00f3n, no es posible que porte SCM_RIGHTS. En este punto, unix_inflight() no puede ocurrir porque unix_gc_lock ya est\u00e1 en uso. El gr\u00e1fico a bordo no se ve afectado."}], "id": "CVE-2024-26923", "lastModified": "2024-11-21T09:03:23.543", "metrics": {}, "published": "2024-04-25T06:15:57.160", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:7001", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7000", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.22.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7486", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.125.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7486", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.125.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7486", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.125.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:6993", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.74.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:8617", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.42.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8617", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.42.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:4823", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.75.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4831", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}], "bugzilla": {"description": "kernel: af_unix: Fix garbage collector racing against connect()", "id": "2277171", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277171"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\naf_unix: Fix garbage collector racing against connect()\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\nconnect(S, addr)sendmsg(S, [V]); close(V)__unix_gc()\n----------------------------------------------------\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n// V count=1 inflight=0\nNS = unix_peer(S)\nskb2 = sock_alloc()\nskb_queue_tail(NS, skb2[V])\n// V became in-flight\n// V count=2 inflight=1\nclose(V)\n// V count=1 inflight=1\n// GC candidate condition met\nfor u in gc_inflight_list:\nif (total_refs == inflight_refs)\nadd u to gc_candidates\n// gc_candidates={L, V}\nfor u in gc_candidates:\nscan_children(u, dec_inflight)\n// embryo (skb1) was not\n// reachable from L yet, so V's\n// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\nfor u in gc_candidates:\nif (u.inflight)\nscan_children(u, inc_inflight_move_tail)\n// V count=1 inflight=2 (!)\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", "A flaw was found in the Linux kernel, where the management of inter-process communication uses AF_UNIX sockets. The issue arises from a race condition where a partially initialized socket with specific permissions carrying SCM_RIGHTS is improperly handled during garbage collection. This situation leads to an incorrect count of active sockets, potentially causing resources to remain unaccounted for and never released."], "mitigation": {"lang": "en:us", "value": "There are no known mitigations to this issue and updating to the latest Linux kernel version is recommended to address this vulnerability\u200b."}, "name": "CVE-2024-26923", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26923\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26923\nhttps://lore.kernel.org/linux-cve-announce/2024042418-CVE-2024-26923-f7f6@gregkh/T"], "statement": "Red Hat rates the security impact of this vulnerability as Moderate due to the worst-case scenario resulting in a resource consumption attack. Considering this is a timing attack and is hard to replicate outside of very controlled environments, the vulnerability is not rated higher.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object