CVE-2026-22983 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's network subsystem, specifically within the AF_UNIX stream socket implementation. The vulnerability occurs when the msg_get_inq field is incorrectly written to in the callee function unix_stream_read_generic, potentially causing a kernel crash when the state->msg pointer is NULL during splice operations.
Critical Impact
This vulnerability can cause a kernel panic through NULL pointer dereference when splicing AF_UNIX stream sockets, potentially leading to denial of service conditions on affected Linux systems.
Affected Products
- Linux kernel (versions containing commits 4d1442979e4a and 2b514574f7e8)
- Systems using AF_UNIX stream sockets with splice operations
- Linux distributions running vulnerable kernel versions
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-22983 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-22983
Vulnerability Analysis
The vulnerability stems from improper handling of the msg_get_inq field in the kernel's message header structure (msghdr). The msg_get_inq field is designed as an input parameter that callers set to request the input queue length be returned in msg_inq. However, the callee function was incorrectly writing to this field, which becomes problematic when the caller does not reinitialize the field on struct reuse.
The critical issue manifests in unix_stream_read_generic when a NULL state->msg pointer is encountered during splice operations. When attempting to write to msg->msg_get_inq with a NULL message pointer, the kernel triggers a NULL pointer dereference, resulting in a kernel panic or system crash.
This vulnerability is a regression that relates to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for") and was exposed by commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets").
Root Cause
The root cause is a violation of the caller-callee contract for the msg_get_inq field. The field should only be read by the callee to determine if the input queue length should be returned, not written to. The callee was modifying this input field, which combined with potential NULL message pointers during splice operations, created conditions for a NULL pointer dereference.
Attack Vector
The attack vector involves triggering the vulnerable code path through AF_UNIX stream socket splice operations. When splice functionality is used on AF_UNIX sockets, the state->msg pointer can be NULL (as documented in commit 2b514574f7e8). If the vulnerable code path attempts to dereference this NULL pointer to write to msg->msg_get_inq, the kernel will crash.
An attacker with local access could potentially craft specific socket operations combining splice calls with AF_UNIX stream sockets to trigger the NULL pointer dereference, causing a denial of service condition.
Detection Methods for CVE-2026-22983
Indicators of Compromise
- Kernel panic messages referencing unix_stream_read_generic function
- System crashes during AF_UNIX socket splice operations
- Kernel oops logs showing NULL pointer dereference in networking subsystem
- Unexpected system reboots without hardware-related causes
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors in network-related functions
- Implement kernel tracing on unix_stream_read_generic function calls
- Deploy system monitoring for unexpected kernel panics or system crashes
- Review application logs for failed splice operations on Unix domain sockets
Monitoring Recommendations
- Enable kernel crash dump collection for post-incident analysis
- Configure system monitoring to alert on kernel oops or panic events
- Monitor for abnormal patterns in AF_UNIX socket usage
- Implement centralized log collection for kernel messages across affected systems
How to Mitigate CVE-2026-22983
Immediate Actions Required
- Apply the kernel patches from the official kernel git repository
- Prioritize patching systems that heavily utilize AF_UNIX sockets with splice operations
- Schedule maintenance windows for kernel updates and system reboots
- Monitor patched systems for stability after updates
Patch Information
The Linux kernel development team has released fixes for this vulnerability. The patches modify the code to avoid writing to msg_get_inq in the callee function and properly handle the NULL state->msg case. The fix also simplifies the code by collapsing two branches using a bitwise OR operation.
Patches are available at:
Workarounds
- Limit use of splice operations on AF_UNIX stream sockets where possible until patching is complete
- Implement application-level restrictions on socket splice functionality
- Consider isolating workloads using AF_UNIX splice in containers with crash recovery mechanisms
- Deploy monitoring to detect and recover from potential system crashes
# Check current kernel version for vulnerability assessment
uname -r
# Verify if patches are applied (check git commit presence)
# Note: Specific verification depends on distribution
zcat /proc/config.gz | grep -i "AF_UNIX"
# Monitor for kernel crashes related to this vulnerability
dmesg | grep -i "null pointer\|unix_stream"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
