CVE-2024-26923 Overview
CVE-2024-26923 is a race condition vulnerability in the Linux kernel's AF_UNIX socket subsystem. The flaw exists in the garbage collector implementation where it fails to properly account for embryo sockets (pending connections) being enqueued during garbage collection operations. When a connect() operation races against the garbage collector (__unix_gc()), the garbage collector may observe inconsistent state leading to an incorrectly elevated inflight count and subsequently a dangling pointer within the gc_inflight_list.
Critical Impact
This race condition can cause dangling pointers in kernel memory structures, potentially leading to system instability, denial of service, or exploitation scenarios involving use-after-free conditions in the AF_UNIX socket garbage collector.
Affected Products
- Linux Kernel (multiple versions including 6.9-rc1, 6.9-rc2, 6.9-rc3)
- Debian Linux 10.0
- Various Linux distributions using affected kernel versions
Discovery Timeline
- 2024-04-25 - CVE-2024-26923 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2024-26923
Vulnerability Analysis
This vulnerability (CWE-362: Race Condition) occurs in the AF_UNIX socket subsystem's garbage collector. The issue arises because the garbage collector does not properly synchronize with concurrent connect() operations on UNIX domain sockets. When an embryo socket (a socket in the process of being connected) gets enqueued during garbage collection, two consecutive passes of scan_children() may observe different sets of children sockets.
The race condition specifically involves AF_UNIX/SOCK_STREAM sockets where:
- An unconnected socket S attempts to connect to a listening in-flight socket L
- A file descriptor V is being passed via sendmsg() with SCM_RIGHTS
- The garbage collector __unix_gc() runs concurrently
During this race, the embryo socket (skb1) may not be visible to the garbage collector during the first scan_children() pass but becomes visible during the second pass, causing the inflight reference count to be incorrectly incremented without a corresponding decrement, leading to memory corruption.
Root Cause
The root cause is insufficient locking synchronization between the connect() operation and the garbage collector. The garbage collector did not acquire the state lock of listening sockets that are GC candidates, allowing connect() to enqueue embryo sockets mid-collection. This creates a scenario where the garbage collector's view of the socket graph changes between scan passes, resulting in incorrect reference counting.
Attack Vector
The vulnerability requires local access to exploit. An attacker with the ability to create and manipulate AF_UNIX sockets could attempt to trigger the race condition by:
- Creating a listening UNIX domain socket that becomes a GC candidate
- Initiating a connect() to that socket while simultaneously passing file descriptors via sendmsg() with SCM_RIGHTS
- Timing the operations to coincide with garbage collector execution
The exploitation window requires precise timing between socket operations and the kernel's garbage collection cycle. The complexity of exploitation is high due to the timing requirements, but successful exploitation could result in dangling pointers and potential use-after-free scenarios.
The vulnerability manifests when an embryo socket carrying SCM_RIGHTS references is enqueued after the garbage collector's initial scan but before the second scan completes. The fix implements proper state lock acquisition on GC-candidate listening sockets, ensuring that any ongoing connect() operations complete before garbage collection proceeds. This guarantees that once the lock is released, any SCM-laden embryo is already fully enqueued and visible to the garbage collector. For detailed technical implementation, see the Linux Kernel Commit 47d8ac0.
Detection Methods for CVE-2024-26923
Indicators of Compromise
- Unexpected kernel crashes or panics related to the AF_UNIX subsystem or garbage collector
- Kernel log messages indicating use-after-free or invalid memory access in unix_gc or related functions
- System instability when applications heavily use UNIX domain sockets with SCM_RIGHTS for file descriptor passing
Detection Strategies
- Monitor kernel logs for oops, panics, or warnings mentioning af_unix, unix_gc, or gc_inflight_list
- Deploy kernel-level monitoring tools to detect anomalous socket operations or reference counting issues
- Use static analysis tools on kernel builds to identify unpatched versions
Monitoring Recommendations
- Implement auditd rules to log UNIX domain socket operations in sensitive environments
- Monitor for applications creating large numbers of UNIX domain sockets with rapid connect/disconnect cycles
- Track kernel version deployments across infrastructure to identify systems running vulnerable versions
How to Mitigate CVE-2024-26923
Immediate Actions Required
- Update Linux kernel to a patched version that includes the fix for this race condition
- Review and prioritize patching for systems that heavily utilize UNIX domain sockets with file descriptor passing
- Consider temporary workload isolation for critical systems until patches can be applied
Patch Information
Multiple patches have been released across various kernel branches. The fix implements proper state lock acquisition on GC-candidate listening sockets to ensure synchronization between connect() operations and the garbage collector:
- Linux Kernel Commit 47d8ac0
- Linux Kernel Commit 507cc23
- Linux Kernel Commit a36ae0e
- Linux Kernel Commit b75722b
- Linux Kernel Commit dbdf7be
Debian users should reference the Debian LTS Announcement 2024-06-17 and Debian LTS Announcement 2024-06-20 for distribution-specific updates.
Workarounds
- Limit unprivileged access to create UNIX domain sockets where feasible
- Apply kernel hardening configurations to reduce the impact of potential memory corruption
- Monitor affected systems closely for anomalous behavior until patches can be deployed
# Check current kernel version for vulnerability assessment
uname -r
# Verify if patches are applied (check for commit in kernel source)
# Look for fixes in net/unix/garbage.c
# Update kernel on Debian-based systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Reboot to apply new kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
