PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23394 Linux CVE debrief

A race condition in the Linux kernel's AF_UNIX socket garbage collector (GC) can cause premature purging of a live socket's receive queue when MSG_PEEK operations interleave with socket close() calls. The vulnerability reintroduces a previously-fixed issue (commit cbcf01128d0a) that resurfaced after GC algorithm changes removed protective locking in unix_peek_fds(). When MSG_PEEK bumps a file reference count without GC awareness, concurrent close() and GC operations can incorrectly conclude that both sockets in a strongly connected component (SCC) are dead, leading to erroneous queue invalidation. The fix uses seqcount_t to signal MSG_PEEK activity to GC, allowing the collector to defer SCC processing to a subsequent run when a race is detected, without imposing locking overhead on the MSG_PEEK path.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-01
Advisory published
2026-03-25
Advisory updated
2026-06-01

Who should care

Linux system administrators, kernel maintainers, container platform operators, and security teams running workloads with intensive AF_UNIX socket usage (e.g., D-Bus, systemd, container runtimes) where MSG_PEEK is employed and multi-threaded socket operations occur. The local attack vector and high attack complexity reduce immediate widespread risk, but availability impact could affect critical inter-process communication services.} ,

Technical summary

The vulnerability exists in the AF_UNIX socket garbage collection logic in the Linux kernel. The GC algorithm determines socket liveness by comparing file reference counts against inflight file descriptor counts. MSG_PEEK on a received file descriptor bumps the file reference count without synchronizing with GC. If close() decrements a reference count while GC is evaluating unix_vertex_dead() for sockets in a strongly connected component, GC may incorrectly conclude both sockets are dead and purge a live socket's receive queue. The fix introduces seqcount_t to signal MSG_PEEK activity to GC, causing GC to defer processing of affected SCCs to subsequent runs when a race is detected. This avoids the need for locking on the MSG_PEEK fast path while preventing erroneous collection.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patch for your version: 6.1.x, 6.6.x, 6.10.x through 6.18.x, 6.19.x, or 7.0-rc series. Patches are available via the Linux kernel stable tree.
  • Upgrade to a fixed kernel version: 6.2 or later for 6.1.x branch, 6.7 or later for 6.6.x branch, 6.18.23 or later for 6.10.x-6.18.x branch, 6.19.10 or later for 6.19.x branch, or 7.0-rc8 or later for 7.0-rc series.
  • If immediate patching is not feasible, monitor for kernel Oops or unexpected socket behavior in applications heavily using AF_UNIX sockets with MSG_PEEK, particularly in multi-threaded environments with frequent socket创建
  • resourceLinkAnnotations
  • resourceLinkAnnotations
  • resourceLinkAnnotations
  • resourceLinkAnnotations
  • resourceLinkAnnotations

Evidence notes

The vulnerability description explicitly states this is a reintroduction of a previously-fixed issue from commit cbcf01128d0a (af_unix: fix garbage collect vs MSG_PEEK). The race condition involves unix_vertex_dead() checks, MSG_PEEK reference count bumps, and close() reference count decrements on AF_UNIX sockets in a strongly connected component. The resolution uses seqcount_t to detect MSG_PEEK races during GC and defer collection. Multiple stable kernel patches are available.

Official resources

2026-03-25T11:16:40.190Z