CVE-2024-26923 (GCVE-0-2024-26923)

Vulnerability from cvelistv5 – Published: 2024-04-24 21:49 – Updated: 2026-05-12 11:50
VLAI
Title
af_unix: Fix garbage collector racing against connect()
Summary
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < a36ae0ec2353015f0f6762e59f4c2dbc0c906423 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 343c5372d5e17b306db5f8f3c895539b06e3177f (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 2e2a03787f4f0abc0072350654ab0ef3324d9db3 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < e76c2678228f6aec74b305ae30c9374cc2f28a51 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < b75722be422c276b699200de90527d01c602ea7c (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 507cc232ffe53a352847893f8177d276c3b532a9 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < dbdf7bec5c920200077d693193f989cb1513f009 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 47d8ac011fe1c9251070e1bd64cb10b48193ec51 (git)
Create a notification for this product.
Linux Linux Affected: 2.6.23
Unaffected: 0 , < 2.6.23 (semver)
Unaffected: 4.19.314 , ≤ 4.19.* (semver)
Unaffected: 5.4.275 , ≤ 5.4.* (semver)
Unaffected: 5.10.216 , ≤ 5.10.* (semver)
Unaffected: 5.15.156 , ≤ 5.15.* (semver)
Unaffected: 6.1.87 , ≤ 6.1.* (semver)
Unaffected: 6.6.28 , ≤ 6.6.* (semver)
Unaffected: 6.8.7 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Siemens RUGGEDCOM RST2428P Affected: 0 , < V3.1 (custom)
Create a notification for this product.
Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family Unaffected: 0 , < * (custom)
Create a notification for this product.
Siemens SCALANCE XCM-/XRM-/XCH-/XRH-300 family Affected: 0 , < V3.1 (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem Affected: 0 , < * (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP Affected: V3.1.0 , < V3.1.5 (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP Affected: V3.1.0 , < V3.1.5 (custom)
Create a notification for this product.
Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP Affected: V3.1.0 , < V3.1.5 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-02T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T19:34:43.753Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM RST2428P",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:50:40.454Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a36ae0ec2353015f0f6762e59f4c2dbc0c906423",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "343c5372d5e17b306db5f8f3c895539b06e3177f",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "2e2a03787f4f0abc0072350654ab0ef3324d9db3",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "e76c2678228f6aec74b305ae30c9374cc2f28a51",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "b75722be422c276b699200de90527d01c602ea7c",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "507cc232ffe53a352847893f8177d276c3b532a9",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "dbdf7bec5c920200077d693193f989cb1513f009",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "47d8ac011fe1c9251070e1bd64cb10b48193ec51",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.23"
            },
            {
              "lessThan": "2.6.23",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.314",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.275",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.216",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.314",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.275",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.216",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.156",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.87",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.28",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.7",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0027s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:06:59.719Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"
        },
        {
          "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"
        },
        {
          "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"
        }
      ],
      "title": "af_unix: Fix garbage collector racing against connect()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26923",
    "datePublished": "2024-04-24T21:49:22.001Z",
    "dateReserved": "2024-02-19T14:20:24.194Z",
    "dateUpdated": "2026-05-12T11:50:40.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-26923",
      "date": "2026-06-20",
      "epss": "0.00193",
      "percentile": "0.09037"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix garbage collector racing against connect()\\n\\nGarbage collector does not take into account the risk of embryo getting\\nenqueued during the garbage collection. If such embryo has a peer that\\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\\ndifferent set of children. Leading to an incorrectly elevated inflight\\ncount, and then a dangling pointer within the gc_inflight_list.\\n\\nsockets are AF_UNIX/SOCK_STREAM\\nS is an unconnected socket\\nL is a listening in-flight socket bound to addr, not in fdtable\\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\\n\\nconnect(S, addr)\\tsendmsg(S, [V]); close(V)\\t__unix_gc()\\n----------------\\t-------------------------\\t-----------\\n\\nNS = unix_create1()\\nskb1 = sock_wmalloc(NS)\\nL = unix_find_other(addr)\\nunix_state_lock(L)\\nunix_peer(S) = NS\\n\\t\\t\\t// V count=1 inflight=0\\n\\n \\t\\t\\tNS = unix_peer(S)\\n \\t\\t\\tskb2 = sock_alloc()\\n\\t\\t\\tskb_queue_tail(NS, skb2[V])\\n\\n\\t\\t\\t// V became in-flight\\n\\t\\t\\t// V count=2 inflight=1\\n\\n\\t\\t\\tclose(V)\\n\\n\\t\\t\\t// V count=1 inflight=1\\n\\t\\t\\t// GC candidate condition met\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_inflight_list:\\n\\t\\t\\t\\t\\t\\t  if (total_refs == inflight_refs)\\n\\t\\t\\t\\t\\t\\t    add u to gc_candidates\\n\\n\\t\\t\\t\\t\\t\\t// gc_candidates={L, V}\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t  scan_children(u, dec_inflight)\\n\\n\\t\\t\\t\\t\\t\\t// embryo (skb1) was not\\n\\t\\t\\t\\t\\t\\t// reachable from L yet, so V\u0027s\\n\\t\\t\\t\\t\\t\\t// inflight remains unchanged\\n__skb_queue_tail(L, skb1)\\nunix_state_unlock(L)\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t  if (u.inflight)\\n\\t\\t\\t\\t\\t\\t    scan_children(u, inc_inflight_move_tail)\\n\\n\\t\\t\\t\\t\\t\\t// V count=1 inflight=2 (!)\\n\\nIf there is a GC-candidate listening socket, lock/unlock its state. This\\nmakes GC wait until the end of any ongoing connect() to that socket. After\\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\\nthis point, unix_inflight() can not happen because unix_gc_lock is already\\ntaken. Inflight graph remains unaffected.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: af_unix: corrige la ejecuci\\u00f3n del recolector de basura contra connect() El recolector de basura no tiene en cuenta el riesgo de que el embri\\u00f3n quede en cola durante la recolecci\\u00f3n de basura. Si dicho embri\\u00f3n tiene un par que porta SCM_RIGHTS, dos pases consecutivos de scan_children() pueden ver un conjunto diferente de ni\\u00f1os. Lo que lleva a un recuento en vuelo elevado incorrectamente y luego a un puntero colgante dentro de gc_inflight_list. los sockets son AF_UNIX/SOCK_STREAM S es un socket no conectado L es un socket de escucha en vuelo vinculado a addr, no en fdtable El fd de V se pasar\\u00e1 a trav\\u00e9s de sendmsg(), se aumenta el recuento en vuelo connect(S, addr) sendmsg(S, [ V]); cerrar(V) __unix_gc() ---------- ------------------------- -- --------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 en vuelo=0 NS = unix_peer(S ) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V se convirti\\u00f3 en vuelo // V recuento=2 en vuelo=1 close(V) // V recuento=1 en vuelo=1 // Condici\\u00f3n candidata de GC cumplida para u en gc_inflight_list: if (total_refs == inflight_refs) agregue u a gc_candidates // gc_candidates={L, V} para u en gc_candidates: scan_children(u, dec_inflight) // el embri\\u00f3n (skb1) a\\u00fan no era // accesible desde L , por lo que V\u0027s // en vuelo permanece sin cambios __skb_queue_tail(L, skb1) unix_state_unlock(L) para u en gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) Si hay un socket de escucha candidato a GC, bloquear/desbloquear su estado. Esto hace que GC espere hasta el final de cualquier conexi\\u00f3n () en curso a ese socket. Despu\\u00e9s de girar la cerradura, un embri\\u00f3n posiblemente cargado de SCM ya est\\u00e1 en cola. Y si viene otro embri\\u00f3n, no es posible que porte SCM_RIGHTS. En este punto, unix_inflight() no puede ocurrir porque unix_gc_lock ya est\\u00e1 en uso. El gr\\u00e1fico a bordo no se ve afectado.\"}]",
      "id": "CVE-2024-26923",
      "lastModified": "2024-11-21T09:03:23.543",
      "published": "2024-04-25T06:15:57.160",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26923\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-25T06:15:57.160\",\"lastModified\":\"2026-05-12T12:16:26.473\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix garbage collector racing against connect()\\n\\nGarbage collector does not take into account the risk of embryo getting\\nenqueued during the garbage collection. If such embryo has a peer that\\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\\ndifferent set of children. Leading to an incorrectly elevated inflight\\ncount, and then a dangling pointer within the gc_inflight_list.\\n\\nsockets are AF_UNIX/SOCK_STREAM\\nS is an unconnected socket\\nL is a listening in-flight socket bound to addr, not in fdtable\\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\\n\\nconnect(S, addr)\\tsendmsg(S, [V]); close(V)\\t__unix_gc()\\n----------------\\t-------------------------\\t-----------\\n\\nNS = unix_create1()\\nskb1 = sock_wmalloc(NS)\\nL = unix_find_other(addr)\\nunix_state_lock(L)\\nunix_peer(S) = NS\\n\\t\\t\\t// V count=1 inflight=0\\n\\n \\t\\t\\tNS = unix_peer(S)\\n \\t\\t\\tskb2 = sock_alloc()\\n\\t\\t\\tskb_queue_tail(NS, skb2[V])\\n\\n\\t\\t\\t// V became in-flight\\n\\t\\t\\t// V count=2 inflight=1\\n\\n\\t\\t\\tclose(V)\\n\\n\\t\\t\\t// V count=1 inflight=1\\n\\t\\t\\t// GC candidate condition met\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_inflight_list:\\n\\t\\t\\t\\t\\t\\t  if (total_refs == inflight_refs)\\n\\t\\t\\t\\t\\t\\t    add u to gc_candidates\\n\\n\\t\\t\\t\\t\\t\\t// gc_candidates={L, V}\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t  scan_children(u, dec_inflight)\\n\\n\\t\\t\\t\\t\\t\\t// embryo (skb1) was not\\n\\t\\t\\t\\t\\t\\t// reachable from L yet, so V\u0027s\\n\\t\\t\\t\\t\\t\\t// inflight remains unchanged\\n__skb_queue_tail(L, skb1)\\nunix_state_unlock(L)\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t  if (u.inflight)\\n\\t\\t\\t\\t\\t\\t    scan_children(u, inc_inflight_move_tail)\\n\\n\\t\\t\\t\\t\\t\\t// V count=1 inflight=2 (!)\\n\\nIf there is a GC-candidate listening socket, lock/unlock its state. This\\nmakes GC wait until the end of any ongoing connect() to that socket. After\\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\\nthis point, unix_inflight() can not happen because unix_gc_lock is already\\ntaken. Inflight graph remains unaffected.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: af_unix: corrige la ejecuci\u00f3n del recolector de basura contra connect() El recolector de basura no tiene en cuenta el riesgo de que el embri\u00f3n quede en cola durante la recolecci\u00f3n de basura. Si dicho embri\u00f3n tiene un par que porta SCM_RIGHTS, dos pases consecutivos de scan_children() pueden ver un conjunto diferente de ni\u00f1os. Lo que lleva a un recuento en vuelo elevado incorrectamente y luego a un puntero colgante dentro de gc_inflight_list. los sockets son AF_UNIX/SOCK_STREAM S es un socket no conectado L es un socket de escucha en vuelo vinculado a addr, no en fdtable El fd de V se pasar\u00e1 a trav\u00e9s de sendmsg(), se aumenta el recuento en vuelo connect(S, addr) sendmsg(S, [ V]); cerrar(V) __unix_gc() ---------- ------------------------- -- --------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 en vuelo=0 NS = unix_peer(S ) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V se convirti\u00f3 en vuelo // V recuento=2 en vuelo=1 close(V) // V recuento=1 en vuelo=1 // Condici\u00f3n candidata de GC cumplida para u en gc_inflight_list: if (total_refs == inflight_refs) agregue u a gc_candidates // gc_candidates={L, V} para u en gc_candidates: scan_children(u, dec_inflight) // el embri\u00f3n (skb1) a\u00fan no era // accesible desde L , por lo que V\u0027s // en vuelo permanece sin cambios __skb_queue_tail(L, skb1) unix_state_unlock(L) para u en gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) Si hay un socket de escucha candidato a GC, bloquear/desbloquear su estado. Esto hace que GC espere hasta el final de cualquier conexi\u00f3n () en curso a ese socket. Despu\u00e9s de girar la cerradura, un embri\u00f3n posiblemente cargado de SCM ya est\u00e1 en cola. Y si viene otro embri\u00f3n, no es posible que porte SCM_RIGHTS. En este punto, unix_inflight() no puede ocurrir porque unix_gc_lock ya est\u00e1 en uso. El gr\u00e1fico a bordo no se ve afectado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.23\",\"versionEndExcluding\":\"4.19.314\",\"matchCriteriaId\":\"2331DB2D-5410-4229-9EDF-C756966401BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.275\",\"matchCriteriaId\":\"5FF6D8DE-C559-4586-86C8-2C6B4420A2C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.216\",\"matchCriteriaId\":\"A44ABF89-F1BD-4C9A-895D-7596650DCD27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.156\",\"matchCriteriaId\":\"E80AFAB4-A9F3-415C-8D6C-52D1C13F1531\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.87\",\"matchCriteriaId\":\"BDA59296-EDB8-44CD-98E4-C08C051569E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.28\",\"matchCriteriaId\":\"8D6315B0-B3BA-406C-B0DB-51D9A63753F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.8.7\",\"matchCriteriaId\":\"531BDFB5-EF6A-4707-902E-146368303499\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"52048DDA-FC5A-4363-95A0-A6357B4D7F8C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-398330.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-613116.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:21:05.612Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26923\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-07T17:09:18.824729Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-07T17:09:23.986Z\"}}], \"cna\": {\"title\": \"af_unix: Fix garbage collector racing against connect()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"a36ae0ec2353015f0f6762e59f4c2dbc0c906423\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"343c5372d5e17b306db5f8f3c895539b06e3177f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"2e2a03787f4f0abc0072350654ab0ef3324d9db3\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"e76c2678228f6aec74b305ae30c9374cc2f28a51\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"b75722be422c276b699200de90527d01c602ea7c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"507cc232ffe53a352847893f8177d276c3b532a9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"dbdf7bec5c920200077d693193f989cb1513f009\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9\", \"lessThan\": \"47d8ac011fe1c9251070e1bd64cb10b48193ec51\", \"versionType\": \"git\"}], \"programFiles\": [\"net/unix/garbage.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.23\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"2.6.23\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.314\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.275\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.216\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.156\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.87\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.28\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/unix/garbage.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\"}, {\"url\": \"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\"}, {\"url\": \"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\"}, {\"url\": \"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\"}, {\"url\": \"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\"}, {\"url\": \"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\"}, {\"url\": \"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\"}, {\"url\": \"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix garbage collector racing against connect()\\n\\nGarbage collector does not take into account the risk of embryo getting\\nenqueued during the garbage collection. If such embryo has a peer that\\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\\ndifferent set of children. Leading to an incorrectly elevated inflight\\ncount, and then a dangling pointer within the gc_inflight_list.\\n\\nsockets are AF_UNIX/SOCK_STREAM\\nS is an unconnected socket\\nL is a listening in-flight socket bound to addr, not in fdtable\\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\\n\\nconnect(S, addr)\\tsendmsg(S, [V]); close(V)\\t__unix_gc()\\n----------------\\t-------------------------\\t-----------\\n\\nNS = unix_create1()\\nskb1 = sock_wmalloc(NS)\\nL = unix_find_other(addr)\\nunix_state_lock(L)\\nunix_peer(S) = NS\\n\\t\\t\\t// V count=1 inflight=0\\n\\n \\t\\t\\tNS = unix_peer(S)\\n \\t\\t\\tskb2 = sock_alloc()\\n\\t\\t\\tskb_queue_tail(NS, skb2[V])\\n\\n\\t\\t\\t// V became in-flight\\n\\t\\t\\t// V count=2 inflight=1\\n\\n\\t\\t\\tclose(V)\\n\\n\\t\\t\\t// V count=1 inflight=1\\n\\t\\t\\t// GC candidate condition met\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_inflight_list:\\n\\t\\t\\t\\t\\t\\t  if (total_refs == inflight_refs)\\n\\t\\t\\t\\t\\t\\t    add u to gc_candidates\\n\\n\\t\\t\\t\\t\\t\\t// gc_candidates={L, V}\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t  scan_children(u, dec_inflight)\\n\\n\\t\\t\\t\\t\\t\\t// embryo (skb1) was not\\n\\t\\t\\t\\t\\t\\t// reachable from L yet, so V\u0027s\\n\\t\\t\\t\\t\\t\\t// inflight remains unchanged\\n__skb_queue_tail(L, skb1)\\nunix_state_unlock(L)\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t  if (u.inflight)\\n\\t\\t\\t\\t\\t\\t    scan_children(u, inc_inflight_move_tail)\\n\\n\\t\\t\\t\\t\\t\\t// V count=1 inflight=2 (!)\\n\\nIf there is a GC-candidate listening socket, lock/unlock its state. This\\nmakes GC wait until the end of any ongoing connect() to that socket. After\\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\\nthis point, unix_inflight() can not happen because unix_gc_lock is already\\ntaken. Inflight graph remains unaffected.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.314\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.275\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.216\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.156\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.87\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.28\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.7\", \"versionStartIncluding\": \"2.6.23\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"2.6.23\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:06:59.719Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26923\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:06:59.719Z\", \"dateReserved\": \"2024-02-19T14:20:24.194Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-24T21:49:22.001Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.