CVE-2024-26923: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.
AI Analysis
Technical Summary
CVE-2024-26923 is a vulnerability in the Linux kernel's AF_UNIX socket implementation, specifically related to the garbage collection (GC) mechanism racing against the connect() operation. The flaw arises because the garbage collector does not properly account for the possibility that an "embryo" socket (a socket in the process of being connected) carrying SCM_RIGHTS (a mechanism to pass file descriptors between processes) might be enqueued during garbage collection. This leads to inconsistent views of the socket children during consecutive scans, causing an incorrectly elevated inflight count and ultimately resulting in a dangling pointer within the gc_inflight_list. The vulnerability affects AF_UNIX/SOCK_STREAM sockets and involves a complex interaction of socket creation, message sending with file descriptor passing, socket closing, and garbage collection. The root cause is a race condition where the garbage collector's candidate selection and scanning phases do not properly synchronize with ongoing connect() operations, allowing a socket with SCM_RIGHTS to be mishandled. The fix involves locking the state of GC-candidate listening sockets during connect() to ensure the garbage collector waits until the connect operation completes, preventing the enqueueing of embryos carrying SCM_RIGHTS during GC and preserving the integrity of the inflight graph. This vulnerability is subtle and low-level, affecting the kernel's internal socket management and memory handling, potentially leading to use-after-free conditions or memory corruption.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize AF_UNIX sockets with SCM_RIGHTS for inter-process communication. Exploitation could lead to kernel memory corruption, potentially allowing local privilege escalation or denial of service through kernel crashes. Given that AF_UNIX sockets are commonly used for secure local IPC in many server and desktop environments, critical infrastructure, cloud providers, and enterprises relying on Linux-based systems could face service disruptions or compromise of system integrity. The impact is heightened in environments where untrusted local users or compromised processes can interact with vulnerable sockets, such as multi-tenant cloud platforms, containerized environments, or shared hosting. Although no known exploits are reported in the wild yet, the complexity of the vulnerability and its kernel-level nature mean that exploitation requires local access and some technical sophistication. However, successful exploitation could undermine confidentiality, integrity, and availability of affected systems, impacting data security and operational continuity.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the vulnerability involves kernel-level socket handling, applying official kernel updates from trusted Linux distributions is the most effective mitigation. Additionally, organizations should: 1) Restrict local user access and enforce strict privilege separation to minimize the risk of local exploitation. 2) Monitor and audit usage of AF_UNIX sockets, especially those involving SCM_RIGHTS, to detect anomalous or unauthorized IPC activities. 3) Employ kernel hardening techniques such as SELinux or AppArmor policies to limit socket operations and inter-process communications. 4) In containerized or virtualized environments, isolate workloads to reduce the attack surface and prevent lateral movement. 5) Maintain comprehensive logging and alerting on kernel errors or crashes that might indicate exploitation attempts. 6) Engage in proactive vulnerability management and testing to ensure timely deployment of patches and detection of potential exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26923: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.
AI-Powered Analysis
Technical Analysis
CVE-2024-26923 is a vulnerability in the Linux kernel's AF_UNIX socket implementation, specifically related to the garbage collection (GC) mechanism racing against the connect() operation. The flaw arises because the garbage collector does not properly account for the possibility that an "embryo" socket (a socket in the process of being connected) carrying SCM_RIGHTS (a mechanism to pass file descriptors between processes) might be enqueued during garbage collection. This leads to inconsistent views of the socket children during consecutive scans, causing an incorrectly elevated inflight count and ultimately resulting in a dangling pointer within the gc_inflight_list. The vulnerability affects AF_UNIX/SOCK_STREAM sockets and involves a complex interaction of socket creation, message sending with file descriptor passing, socket closing, and garbage collection. The root cause is a race condition where the garbage collector's candidate selection and scanning phases do not properly synchronize with ongoing connect() operations, allowing a socket with SCM_RIGHTS to be mishandled. The fix involves locking the state of GC-candidate listening sockets during connect() to ensure the garbage collector waits until the connect operation completes, preventing the enqueueing of embryos carrying SCM_RIGHTS during GC and preserving the integrity of the inflight graph. This vulnerability is subtle and low-level, affecting the kernel's internal socket management and memory handling, potentially leading to use-after-free conditions or memory corruption.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize AF_UNIX sockets with SCM_RIGHTS for inter-process communication. Exploitation could lead to kernel memory corruption, potentially allowing local privilege escalation or denial of service through kernel crashes. Given that AF_UNIX sockets are commonly used for secure local IPC in many server and desktop environments, critical infrastructure, cloud providers, and enterprises relying on Linux-based systems could face service disruptions or compromise of system integrity. The impact is heightened in environments where untrusted local users or compromised processes can interact with vulnerable sockets, such as multi-tenant cloud platforms, containerized environments, or shared hosting. Although no known exploits are reported in the wild yet, the complexity of the vulnerability and its kernel-level nature mean that exploitation requires local access and some technical sophistication. However, successful exploitation could undermine confidentiality, integrity, and availability of affected systems, impacting data security and operational continuity.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the vulnerability involves kernel-level socket handling, applying official kernel updates from trusted Linux distributions is the most effective mitigation. Additionally, organizations should: 1) Restrict local user access and enforce strict privilege separation to minimize the risk of local exploitation. 2) Monitor and audit usage of AF_UNIX sockets, especially those involving SCM_RIGHTS, to detect anomalous or unauthorized IPC activities. 3) Employ kernel hardening techniques such as SELinux or AppArmor policies to limit socket operations and inter-process communications. 4) In containerized or virtualized environments, isolate workloads to reduce the attack surface and prevent lateral movement. 5) Maintain comprehensive logging and alerting on kernel errors or crashes that might indicate exploitation attempts. 6) Engage in proactive vulnerability management and testing to ensure timely deployment of patches and detection of potential exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.194Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2e4a
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:11:56 PM
Last updated: 8/16/2025, 5:37:33 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.