Skip to main content

Linux EUVDEUVD-2026-15396

| CVE-2026-23394 MEDIUM
Race Condition (CWE-362)
2026-03-25 Linux GHSA-p5pc-67g7-qcv2
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:22 NVD
4.7 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15396
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:33 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Give up GC if MSG_PEEK intervened.

Igor Ushakov reported that GC purged the receive queue of an alive socket due to a race with MSG_PEEK with a nice repro.

This is the exact same issue previously fixed by commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").

After GC was replaced with the current algorithm, the cited commit removed the locking dance in unix_peek_fds() and reintroduced the same issue.

The problem is that MSG_PEEK bumps a file refcount without interacting with GC.

Consider an SCC containing sk-A and sk-B, where sk-A is close()d but can be recv()ed via sk-B.

The bad thing happens if sk-A is recv()ed with MSG_PEEK from sk-B and sk-B is close()d while GC is checking unix_vertex_dead() for sk-A and sk-B.

GC thread User thread --------- ----------- unix_vertex_dead(sk-A) -> true <------. \ `------ recv(sk-B, MSG_PEEK) invalidate !! -> sk-A's file refcount : 1 -> 2

close(sk-B) -> sk-B's file refcount : 2 -> 1 unix_vertex_dead(sk-B) -> true

Initially, sk-A's file refcount is 1 by the inflight fd in sk-B recvq. GC thinks sk-A is dead because the file refcount is the same as the number of its inflight fds.

However, sk-A's file refcount is bumped silently by MSG_PEEK, which invalidates the previous evaluation.

At this moment, sk-B's file refcount is 2; one by the open fd, and one by the inflight fd in sk-A. The subsequent close() releases one refcount by the former.

Finally, GC incorrectly concludes that both sk-A and sk-B are dead.

One option is to restore the locking dance in unix_peek_fds(), but we can resolve this more elegantly thanks to the new algorithm.

The point is that the issue does not occur without the subsequent close() and we actually do not need to synchronise MSG_PEEK with the dead SCC detection.

When the issue occurs, close() and GC touch the same file refcount. If GC sees the refcount being decremented by close(), it can just give up garbage-collecting the SCC.

Therefore, we only need to signal the race during MSG_PEEK with a proper memory barrier to make it visible to the GC.

Let's use seqcount_t to notify GC when MSG_PEEK occurs and let it defer the SCC to the next run.

This way no locking is needed on the MSG_PEEK side, and we can avoid imposing a penalty on every MSG_PEEK unnecessarily.

Note that we can retry within unix_scc_dead() if MSG_PEEK is detected, but we do not do so to avoid hung task splat from abusive MSG_PEEK calls.

AnalysisAI

A race condition exists in the Linux kernel's AF_UNIX socket implementation where the garbage collector (GC) can incorrectly purge receive queues of alive sockets when MSG_PEEK operations occur concurrently with socket closure. The vulnerability affects all Linux kernel versions and allows local attackers with socket access to cause information disclosure or denial of service by triggering the race condition between MSG_PEEK, socket closure, and GC execution. A proof-of-concept demonstrating the issue has been publicly reported by Igor Ushakov, and patches are available in the stable kernel tree.

Technical ContextAI

The vulnerability resides in the AF_UNIX socket garbage collection algorithm (af_unix.c) in the Linux kernel, affecting cpe:2.3:a:linux:linux (all versions). The root cause is a synchronization failure between MSG_PEEK socket operations and the GC dead socket detection mechanism. MSG_PEEK increments file reference counts without coordinating with GC, which uses reference count analysis to determine if sockets in a strongly connected component (SCC) are dead. When MSG_PEEK bumps a refcount and then close() decrements it while GC is evaluating unix_vertex_dead(), GC can incorrectly conclude that alive sockets are dead, leading to premature queue purging. This is fundamentally a CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) issue, as the shared file refcount resource lacks proper synchronization between concurrent paths (MSG_PEEK reader and GC collector). The fix introduces seqcount_t barriers to signal MSG_PEEK races to GC, allowing GC to defer suspicious SCCs to the next collection cycle without requiring locks on the MSG_PEEK fast path.

RemediationAI

Upgrade the Linux kernel to a version that includes the seqcount_t-based MSG_PEEK race detection fix, typically available in stable branches shortly after the commit date. Check your distribution's kernel security advisories and install the latest patched kernel (e.g., via apt update && apt install linux-image-generic on Debian/Ubuntu, or dnf update kernel on Red Hat/Fedora). Reboot the system to activate the patched kernel. Until patching is possible, mitigate risk by restricting local user access and monitoring for unexpected socket-related errors or queue purges in logs. If running containerized workloads, ensure proper seccomp or AppArmor profiles restrict socket creation capabilities to necessary processes only. No network-level mitigation is applicable since this is a local kernel vulnerability affecting inter-process socket communication.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.8-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy