CVE-2024-26676: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. syzbot reported a warning [0] in __unix_gc() with a repro, which creates a socketpair and sends one socket's fd to itself using the peer. socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 This forms a self-cyclic reference that GC should finally untangle but does not due to lack of MSG_OOB handling, resulting in memory leak. Recently, commit 11498715f266 ("af_unix: Remove io_uring code for GC.") removed io_uring's dead code in GC and revealed the problem. The code was executed at the final stage of GC and unconditionally moved all GC candidates from gc_candidates to gc_inflight_list. That papered over the reported problem by always making the following WARN_ON_ONCE(!list_empty(&gc_candidates)) false. The problem has been there since commit 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") added full scm support for MSG_OOB while fixing another bug. To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb if the socket still exists in gc_candidates after purging collected skb. Then, we need to set NULL to oob_skb before calling kfree_skb() because it calls last fput() and triggers unix_release_sock(), where we call duplicate kfree_skb(u->oob_skb) if not NULL. Note that the leaked socket remained being linked to a global list, so kmemleak also could not detect it. We need to check /proc/net/protocol to notice the unfreed socket. [0]: WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Modules linked in: CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>
AI Analysis
Technical Summary
CVE-2024-26676 is a medium-severity vulnerability in the Linux kernel's AF_UNIX socket implementation, specifically within the garbage collection (GC) logic for out-of-band (OOB) socket buffers (skb). The flaw arises from improper handling of self-referential socket pairs created using socketpair(AF_UNIX, SOCK_STREAM, 0, [fd1, fd2]) where one socket's file descriptor is sent to itself via the peer socket using sendmsg with the MSG_OOB flag. This creates a cyclic reference that the GC mechanism fails to properly break due to missing handling of MSG_OOB sockets, resulting in a memory leak. The root cause traces back to a commit that added full SCM (socket control message) support for MSG_OOB but did not account for this edge case in GC. The vulnerability manifests as a leaked socket object that remains linked in a global list, evading detection by kmemleak and causing resource exhaustion over time. The kernel warning and stack trace provided show the failure point in __unix_gc() during the final GC stage. The fix involves explicitly calling kfree_skb() on the dead unix_sk(sk)->oob_skb if it remains in gc_candidates after purging, and nullifying the pointer before freeing to avoid double free during socket release. This vulnerability affects multiple Linux kernel versions from the commit that introduced full MSG_OOB SCM support onward, including recent 6.8.0-rc1 development kernels. Although it does not directly allow code execution or privilege escalation, the memory leak can degrade system stability and availability, especially on systems with heavy AF_UNIX socket usage. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability primarily threatens the availability and stability of Linux-based systems that utilize AF_UNIX sockets extensively, such as servers running container runtimes, microservices, or IPC-heavy applications. Memory leaks can accumulate over time, leading to resource exhaustion, degraded performance, or kernel crashes, potentially causing denial of service conditions. Critical infrastructure, cloud providers, and enterprises relying on Linux servers for internal communications could experience service interruptions. While the vulnerability does not compromise confidentiality or integrity directly, the resulting instability could impact business continuity and operational reliability. Systems running older or unpatched Linux kernels are at higher risk. Given the widespread use of Linux in European data centers, telecom, and government sectors, the impact could be significant if left unmitigated.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26676 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations unable to immediately patch, monitor /proc/net/protocol for abnormal socket entries indicating leaked sockets and implement proactive system restarts or resource cleanup scripts to mitigate memory exhaustion. 3. Limit or audit the use of AF_UNIX socket pairs with MSG_OOB flags in application code to reduce exposure to the vulnerable code path. 4. Employ kernel hardening and monitoring tools that can detect unusual kernel warnings or memory leaks related to socket management. 5. In containerized environments, isolate workloads and limit privileges to reduce the impact scope if the vulnerability is triggered. 6. Maintain up-to-date kernel versions and subscribe to security advisories from Linux vendors and the CVE database for timely awareness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26676: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. syzbot reported a warning [0] in __unix_gc() with a repro, which creates a socketpair and sends one socket's fd to itself using the peer. socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 This forms a self-cyclic reference that GC should finally untangle but does not due to lack of MSG_OOB handling, resulting in memory leak. Recently, commit 11498715f266 ("af_unix: Remove io_uring code for GC.") removed io_uring's dead code in GC and revealed the problem. The code was executed at the final stage of GC and unconditionally moved all GC candidates from gc_candidates to gc_inflight_list. That papered over the reported problem by always making the following WARN_ON_ONCE(!list_empty(&gc_candidates)) false. The problem has been there since commit 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") added full scm support for MSG_OOB while fixing another bug. To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb if the socket still exists in gc_candidates after purging collected skb. Then, we need to set NULL to oob_skb before calling kfree_skb() because it calls last fput() and triggers unix_release_sock(), where we call duplicate kfree_skb(u->oob_skb) if not NULL. Note that the leaked socket remained being linked to a global list, so kmemleak also could not detect it. We need to check /proc/net/protocol to notice the unfreed socket. [0]: WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Modules linked in: CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-26676 is a medium-severity vulnerability in the Linux kernel's AF_UNIX socket implementation, specifically within the garbage collection (GC) logic for out-of-band (OOB) socket buffers (skb). The flaw arises from improper handling of self-referential socket pairs created using socketpair(AF_UNIX, SOCK_STREAM, 0, [fd1, fd2]) where one socket's file descriptor is sent to itself via the peer socket using sendmsg with the MSG_OOB flag. This creates a cyclic reference that the GC mechanism fails to properly break due to missing handling of MSG_OOB sockets, resulting in a memory leak. The root cause traces back to a commit that added full SCM (socket control message) support for MSG_OOB but did not account for this edge case in GC. The vulnerability manifests as a leaked socket object that remains linked in a global list, evading detection by kmemleak and causing resource exhaustion over time. The kernel warning and stack trace provided show the failure point in __unix_gc() during the final GC stage. The fix involves explicitly calling kfree_skb() on the dead unix_sk(sk)->oob_skb if it remains in gc_candidates after purging, and nullifying the pointer before freeing to avoid double free during socket release. This vulnerability affects multiple Linux kernel versions from the commit that introduced full MSG_OOB SCM support onward, including recent 6.8.0-rc1 development kernels. Although it does not directly allow code execution or privilege escalation, the memory leak can degrade system stability and availability, especially on systems with heavy AF_UNIX socket usage. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability primarily threatens the availability and stability of Linux-based systems that utilize AF_UNIX sockets extensively, such as servers running container runtimes, microservices, or IPC-heavy applications. Memory leaks can accumulate over time, leading to resource exhaustion, degraded performance, or kernel crashes, potentially causing denial of service conditions. Critical infrastructure, cloud providers, and enterprises relying on Linux servers for internal communications could experience service interruptions. While the vulnerability does not compromise confidentiality or integrity directly, the resulting instability could impact business continuity and operational reliability. Systems running older or unpatched Linux kernels are at higher risk. Given the widespread use of Linux in European data centers, telecom, and government sectors, the impact could be significant if left unmitigated.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26676 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations unable to immediately patch, monitor /proc/net/protocol for abnormal socket entries indicating leaked sockets and implement proactive system restarts or resource cleanup scripts to mitigate memory exhaustion. 3. Limit or audit the use of AF_UNIX socket pairs with MSG_OOB flags in application code to reduce exposure to the vulnerable code path. 4. Employ kernel hardening and monitoring tools that can detect unusual kernel warnings or memory leaks related to socket management. 5. In containerized environments, isolate workloads and limit privileges to reduce the impact scope if the vulnerability is triggered. 6. Maintain up-to-date kernel versions and subscribe to security advisories from Linux vendors and the CVE database for timely awareness.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.151Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd8dc6
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/5/2025, 9:42:14 AM
Last updated: 8/14/2025, 9:42:21 PM
Views: 23
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.