CVE-2024-26750: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: af_unix: Drop oob_skb ref before purging queue in GC. syzbot reported another task hung in __unix_gc(). [0] The current while loop assumes that all of the left candidates have oob_skb and calling kfree_skb(oob_skb) releases the remaining candidates. However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung. __unix_gc() has the same loop just before purging the collected skb, so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() release all inflight sockets. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __unix_gc+0xe69/0xf40 net/unix/garbage.c:343 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>
AI Analysis
Technical Summary
CVE-2024-26750 is a vulnerability identified in the Linux kernel's af_unix subsystem, specifically within the garbage collection function __unix_gc(). The issue arises from improper handling of out-of-band socket buffers (oob_skb) during the purging of socket queues. The vulnerability manifests as a task hang caused by a logic flaw in a while loop that processes candidate socket buffers for cleanup. The loop assumes all candidates have an oob_skb reference and that calling kfree_skb(oob_skb) will release all remaining candidates. However, a particular edge case involving self-referencing file descriptors (fd) and ordering of socket buffers in the candidate list causes the loop to stall indefinitely, resulting in a hung kernel worker thread. This hang occurs because the loop never progresses when an oob_skb has a self-referencing fd and another fd precedes it in the candidate list. The fix involves dropping the oob_skb reference before purging the queue, allowing __skb_queue_purge() to correctly release all inflight sockets and prevent the hang. The vulnerability was reported by syzbot and affects Linux kernel versions identified by specific commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue affects the Linux kernel's internal socket garbage collection mechanism, which is critical for resource management and system stability.
Potential Impact
For European organizations relying on Linux-based systems, this vulnerability could lead to kernel worker threads hanging, potentially causing degraded system performance or denial of service conditions. Systems that heavily utilize Unix domain sockets for inter-process communication, such as servers running container orchestration platforms, microservices architectures, or complex middleware, are particularly at risk. A hung kernel worker thread may not immediately crash the system but can lead to resource exhaustion or stalled services, impacting availability and operational continuity. Given Linux's widespread use in enterprise servers, cloud infrastructure, and embedded devices across Europe, the vulnerability could affect critical infrastructure, financial services, telecommunications, and public sector systems. While there is no evidence of remote code execution or privilege escalation, the denial of service impact on kernel stability is significant, especially in high-availability environments. The lack of requirement for user interaction or authentication to trigger the hang (assuming local processes can create the affected socket conditions) increases the risk within multi-tenant or shared environments.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability as soon as they become available. In the interim, system administrators should monitor kernel worker thread activity and system logs for signs of hung tasks related to __unix_gc or socket garbage collection. Implementing kernel live patching solutions where feasible can reduce downtime associated with patch deployment. Additionally, organizations should audit and limit the use of Unix domain sockets in untrusted or less controlled environments to reduce exposure. Employing container runtime security best practices, such as restricting capabilities and isolating workloads, can mitigate the risk of local exploitation. Regularly updating Linux distributions to incorporate upstream kernel fixes and maintaining robust system monitoring and alerting for kernel anomalies will further reduce impact. Finally, engaging with Linux distribution vendors and security mailing lists can provide timely information on patch availability and vulnerability status.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26750: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Drop oob_skb ref before purging queue in GC. syzbot reported another task hung in __unix_gc(). [0] The current while loop assumes that all of the left candidates have oob_skb and calling kfree_skb(oob_skb) releases the remaining candidates. However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung. __unix_gc() has the same loop just before purging the collected skb, so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() release all inflight sockets. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __unix_gc+0xe69/0xf40 net/unix/garbage.c:343 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-26750 is a vulnerability identified in the Linux kernel's af_unix subsystem, specifically within the garbage collection function __unix_gc(). The issue arises from improper handling of out-of-band socket buffers (oob_skb) during the purging of socket queues. The vulnerability manifests as a task hang caused by a logic flaw in a while loop that processes candidate socket buffers for cleanup. The loop assumes all candidates have an oob_skb reference and that calling kfree_skb(oob_skb) will release all remaining candidates. However, a particular edge case involving self-referencing file descriptors (fd) and ordering of socket buffers in the candidate list causes the loop to stall indefinitely, resulting in a hung kernel worker thread. This hang occurs because the loop never progresses when an oob_skb has a self-referencing fd and another fd precedes it in the candidate list. The fix involves dropping the oob_skb reference before purging the queue, allowing __skb_queue_purge() to correctly release all inflight sockets and prevent the hang. The vulnerability was reported by syzbot and affects Linux kernel versions identified by specific commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue affects the Linux kernel's internal socket garbage collection mechanism, which is critical for resource management and system stability.
Potential Impact
For European organizations relying on Linux-based systems, this vulnerability could lead to kernel worker threads hanging, potentially causing degraded system performance or denial of service conditions. Systems that heavily utilize Unix domain sockets for inter-process communication, such as servers running container orchestration platforms, microservices architectures, or complex middleware, are particularly at risk. A hung kernel worker thread may not immediately crash the system but can lead to resource exhaustion or stalled services, impacting availability and operational continuity. Given Linux's widespread use in enterprise servers, cloud infrastructure, and embedded devices across Europe, the vulnerability could affect critical infrastructure, financial services, telecommunications, and public sector systems. While there is no evidence of remote code execution or privilege escalation, the denial of service impact on kernel stability is significant, especially in high-availability environments. The lack of requirement for user interaction or authentication to trigger the hang (assuming local processes can create the affected socket conditions) increases the risk within multi-tenant or shared environments.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability as soon as they become available. In the interim, system administrators should monitor kernel worker thread activity and system logs for signs of hung tasks related to __unix_gc or socket garbage collection. Implementing kernel live patching solutions where feasible can reduce downtime associated with patch deployment. Additionally, organizations should audit and limit the use of Unix domain sockets in untrusted or less controlled environments to reduce exposure. Employing container runtime security best practices, such as restricting capabilities and isolating workloads, can mitigate the risk of local exploitation. Regularly updating Linux distributions to incorporate upstream kernel fixes and maintaining robust system monitoring and alerting for kernel anomalies will further reduce impact. Finally, engaging with Linux distribution vendors and security mailing lists can provide timely information on patch availability and vulnerability status.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.169Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3a45
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 6:10:50 PM
Last updated: 7/26/2025, 1:28:49 PM
Views: 10
Related Threats
CVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-54992: CWE-611: Improper Restriction of XML External Entity Reference in telstra open-kilda
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.