Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53361

CVE-2026-53361: Linux Kernel Race Condition Vulnerability

CVE-2026-53361 is a race condition flaw in the Linux kernel's af_unix module that affects garbage collection tracking. This vulnerability can cause gc_in_progress to remain false during execution. This post covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-53361 Overview

CVE-2026-53361 is a race condition in the Linux kernel's af_unix subsystem. The flaw resides in the garbage collection logic for Unix domain sockets, specifically in the unix_gc() function. When unix_schedule_gc() is invoked concurrently from multiple threads, the gc_in_progress flag can be observed as false even while garbage collection is actively running. This breaks assumptions made by unix_peek_fpl(), which relies on gc_in_progress to coordinate safe handling of MSG_PEEK operations on file descriptors passed over Unix sockets. The kernel maintainers resolved the issue by setting gc_in_progress to true inside unix_gc() itself.

Critical Impact

Concurrent scheduling of Unix socket garbage collection can desynchronize state used by MSG_PEEK file descriptor handling, potentially corrupting kernel data structures.

Affected Products

  • Linux kernel (mainline) — net/unix/garbage.caf_unix subsystem
  • Stable kernel branches receiving the referenced backport commits
  • Distributions shipping unpatched Linux kernels with Unix domain socket file descriptor passing

Discovery Timeline

  • 2026-07-04 - CVE-2026-53361 published to NVD
  • 2026-07-04 - Last updated in NVD database

Technical Details for CVE-2026-53361

Vulnerability Analysis

The vulnerability is a race condition [CWE-362] in the Unix domain socket garbage collector. The unix_schedule_gc() function checks whether gc_in_progress is false before setting it to true and queuing the garbage collection work. Because the check and the set are not atomic with respect to the actual execution of unix_gc(), two threads can each pass the guard, set the flag, and queue work items in sequence.

The first unix_gc() invocation clears gc_in_progress at the end of its run. The second queued unix_gc() then executes with gc_in_progress observed as false for the duration of its work, because the flag was never re-set at the start of the second run. unix_peek_fpl() uses gc_in_progress to avoid confusing the collector when MSG_PEEK is used on messages carrying SCM_RIGHTS file descriptors. If the flag is not asserted during collection, peek operations and the garbage collector can operate on the same file descriptor state concurrently.

Root Cause

The root cause is missing state synchronization between the scheduler (unix_schedule_gc()) and the worker (unix_gc()). The flag transition from false to true occurs only in the scheduler path. Once a scheduler thread queues a work item, a subsequent scheduler thread can queue a second work item and toggle the flag again before the first worker finishes. The fix moves the assignment gc_in_progress = true into unix_gc() so the flag reliably reflects worker state regardless of scheduling ordering.

Attack Vector

Exploitation requires local code execution that can create Unix domain sockets, pass file descriptors using SCM_RIGHTS, and issue recvmsg() calls with the MSG_PEEK flag. A local process can drive concurrent garbage collection scheduling by cyclically referencing sockets across processes while triggering peek operations. The vulnerability is not remotely exploitable and requires the ability to invoke socket system calls on the target host. See the Linux kernel commit series for the reference fix.

Detection Methods for CVE-2026-53361

Indicators of Compromise

  • Kernel warnings, BUG: traces, or KASAN reports originating from net/unix/garbage.c or unix_peek_fpl call sites.
  • Unexpected reference count imbalances on file descriptors passed via SCM_RIGHTS on Unix sockets.
  • Kernel panics or slab corruption reports referencing unix_sock or scm_fp_list structures.

Detection Strategies

  • Compare running kernel version and build against distribution advisories that reference the fix commits 0cfa78c0, 591f1ac2, 82c17e13, and d82ba052.
  • Monitor dmesg and /var/log/kern.log for repeated soft lockups or scheduler warnings tied to unix_gc work items.
  • Audit local processes that intensively use SCM_RIGHTS with MSG_PEEK, which is an uncommon pattern on most workloads.

Monitoring Recommendations

  • Ship kernel ring buffer logs to a central SIEM and alert on faults referencing af_unix or garbage.c.
  • Track kernel package versions across the fleet and flag hosts not yet running a patched stable release.
  • Baseline normal Unix socket activity per workload so anomalous descriptor passing bursts stand out.

How to Mitigate CVE-2026-53361

Immediate Actions Required

  • Inventory Linux hosts and identify kernels that predate the referenced stable commits.
  • Apply vendor kernel updates that incorporate the af_unix garbage collection fix and reboot affected systems.
  • Restrict local access on shared multi-tenant hosts until patched kernels are deployed.

Patch Information

The upstream fix moves the gc_in_progress = true assignment into unix_gc() so the flag is set by the worker rather than only by the scheduler. Patched commits are available in the stable trees at 0cfa78c0, 591f1ac2, 82c17e13, and d82ba052. Apply the update matching your stable branch and rebuild or install the vendor package.

Workarounds

  • No supported runtime workaround exists; the flag ordering is internal kernel behavior.
  • Reduce exposure by limiting untrusted local users and containers on hosts that cannot be patched immediately.
  • Enforce least-privilege on services that pass file descriptors over Unix sockets to shrink the local attack surface.
bash
# Verify the running kernel and check for updates
uname -r
# Debian/Ubuntu
apt-get update && apt-get install --only-upgrade linux-image-$(uname -r | sed 's/-generic//')
# RHEL/CentOS/Fedora
dnf update kernel && systemctl reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.