{"id":"CVE-2024-26923","summary":"af_unix: Fix garbage collector racing against connect()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.","aliases":["A-336268889","ASB-A-336268889"],"modified":"2026-04-02T10:06:25.739872Z","published":"2024-04-24T21:49:22.001Z","related":["ALSA-2024:7000","ALSA-2024:7001","ALSA-2024:8617","SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2326-1","SUSE-SU-2024:2335-1","SUSE-SU-2024:2337-1","SUSE-SU-2024:2338-1","SUSE-SU-2024:2341-1","SUSE-SU-2024:2342-1","SUSE-SU-2024:2343-1","SUSE-SU-2024:2344-1","SUSE-SU-2024:2351-1","SUSE-SU-2024:2357-1","SUSE-SU-2024:2358-1","SUSE-SU-2024:2360-1","SUSE-SU-2024:2362-1","SUSE-SU-2024:2365-1","SUSE-SU-2024:2368-1","SUSE-SU-2024:2369-1","SUSE-SU-2024:2372-1","SUSE-SU-2024:2373-1","SUSE-SU-2024:2382-1","SUSE-SU-2024:2394-1","SUSE-SU-2024:2396-1","SUSE-SU-2024:2407-1","SUSE-SU-2024:2410-1","SUSE-SU-2024:2411-1","SUSE-SU-2024:2437-1","SUSE-SU-2024:2446-1","SUSE-SU-2024:2447-1","SUSE-SU-2024:2448-1","SUSE-SU-2024:2449-1","SUSE-SU-2024:2472-1","SUSE-SU-2024:2473-1","SUSE-SU-2024:2474-1","SUSE-SU-2024:2480-1","SUSE-SU-2024:2487-1","SUSE-SU-2024:2488-1","SUSE-SU-2024:2495-1","SUSE-SU-2024:2530-1","SUSE-SU-2024:2549-1","SUSE-SU-2024:2558-1","SUSE-SU-2024:2559-1","SUSE-SU-2024:2561-1","SUSE-SU-2024:2722-1","SUSE-SU-2024:2723-1","SUSE-SU-2024:2725-1","SUSE-SU-2024:2726-1","SUSE-SU-2024:2740-1","SUSE-SU-2024:2751-1","SUSE-SU-2024:2755-1","SUSE-SU-2024:2758-1","SUSE-SU-2024:2759-1","SUSE-SU-2024:2773-1","SUSE-SU-2024:2792-1","SUSE-SU-2024:2797-1","SUSE-SU-2024:2821-1","SUSE-SU-2024:2822-1","SUSE-SU-2024:2823-1","SUSE-SU-2024:2824-1","SUSE-SU-2024:2825-1","SUSE-SU-2024:2840-1","SUSE-SU-2024:2841-1","SUSE-SU-2024:2843-1","SUSE-SU-2024:2850-1","SUSE-SU-2024:2851-1","SUSE-SU-2024:2852-1","SUSE-SU-2024:2853-1","SUSE-SU-2024:2874-1","SUSE-SU-2024:2895-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2973-1","SUSE-SU-2024:3015-1","SUSE-SU-2024:3034-1","SUSE-SU-2024:3037-1","SUSE-SU-2024:3039-1","SUSE-SU-2024:3043-1","SUSE-SU-2024:3044-1","SUSE-SU-2024:3048-1","SUSE-SU-2024:3318-1","SUSE-SU-2024:3319-1","SUSE-SU-2024:3320-1","SUSE-SU-2024:3334-1","SUSE-SU-2024:3336-1","SUSE-SU-2024:3347-1","SUSE-SU-2024:3348-1","SUSE-SU-2024:3349-1","SUSE-SU-2024:3350-1","SUSE-SU-2024:3363-1","SUSE-SU-2024:3365-1","SUSE-SU-2024:3368-1","SUSE-SU-2024:3370-1","SUSE-SU-2024:3375-1","SUSE-SU-2024:3379-1","SUSE-SU-2024:3399-1","SUSE-SU-2024:3623-1","SUSE-SU-2024:3625-1","SUSE-SU-2024:3631-1","SUSE-SU-2024:3632-1","SUSE-SU-2024:3636-1","SUSE-SU-2024:3639-1","SUSE-SU-2024:3642-1","SUSE-SU-2024:3649-1","SUSE-SU-2024:3651-1","SUSE-SU-2024:3652-1","SUSE-SU-2024:3661-1","SUSE-SU-2024:3662-1","SUSE-SU-2024:3663-1","SUSE-SU-2024:3672-1","SUSE-SU-2024:3674-1","SUSE-SU-2024:3676-1","SUSE-SU-2024:3679-1","SUSE-SU-2024:3685-1","SUSE-SU-2024:3694-1","SUSE-SU-2024:3695-1","SUSE-SU-2024:3696-1","SUSE-SU-2024:3697-1","SUSE-SU-2024:3700-1","SUSE-SU-2024:3701-1","SUSE-SU-2024:3702-1","SUSE-SU-2024:3710-1","SUSE-SU-2024:3774-1","SUSE-SU-2024:3780-1","SUSE-SU-2024:3793-1","SUSE-SU-2024:3796-1","SUSE-SU-2024:3798-1","SUSE-SU-2024:3800-1","SUSE-SU-2024:3803-1","SUSE-SU-2024:3806-1","SUSE-SU-2024:3814-1","SUSE-SU-2024:3815-1","SUSE-SU-2024:3820-1","SUSE-SU-2024:3821-1","SUSE-SU-2024:3822-1","SUSE-SU-2024:3829-1","SUSE-SU-2024:3830-1","SUSE-SU-2024:3831-1","SUSE-SU-2024:3833-1","SUSE-SU-2024:3837-1","SUSE-SU-2024:3840-1","SUSE-SU-2024:3842-1","SUSE-SU-2024:3849-1","SUSE-SU-2024:3851-1","SUSE-SU-2024:3852-1","SUSE-SU-2024:3854-1","SUSE-SU-2024:3855-1","SUSE-SU-2024:3857-1","SUSE-SU-2024:3860-1","SUSE-SU-2024:4122-1","SUSE-SU-2024:4123-1","SUSE-SU-2024:4124-1","SUSE-SU-2024:4125-1","SUSE-SU-2024:4127-1","SUSE-SU-2024:4180-1","SUSE-SU-2024:4197-1","SUSE-SU-2024:4207-1","SUSE-SU-2024:4214-1","SUSE-SU-2024:4216-1","SUSE-SU-2024:4218-1","SUSE-SU-2024:4226-1","SUSE-SU-2024:4228-1","SUSE-SU-2024:4231-1","SUSE-SU-2024:4234-1","SUSE-SU-2024:4235-1","SUSE-SU-2024:4236-1","SUSE-SU-2024:4242-1","SUSE-SU-2024:4243-1","SUSE-SU-2024:4246-1","SUSE-SU-2024:4249-1","SUSE-SU-2024:4250-1","SUSE-SU-2024:4256-1","SUSE-SU-2024:4263-1","SUSE-SU-2024:4264-1","SUSE-SU-2024:4266-1","SUSE-SU-2024:4275-1","SUSE-SU-2025:0091-1","SUSE-SU-2025:0097-1","SUSE-SU-2025:0101-1","SUSE-SU-2025:0103-1","SUSE-SU-2025:0106-1","SUSE-SU-2025:0107-1","SUSE-SU-2025:0109-1","SUSE-SU-2025:0110-1","SUSE-SU-2025:0114-1","SUSE-SU-2025:0115-1","SUSE-SU-2025:0124-1","SUSE-SU-2025:0131-1","SUSE-SU-2025:0137-1","SUSE-SU-2025:0138-1","SUSE-SU-2025:0146-1","SUSE-SU-2025:0150-1","SUSE-SU-2025:0158-1","SUSE-SU-2025:0164-1","SUSE-SU-2025:0238-1","SUSE-SU-2025:0239-1","SUSE-SU-2025:0240-1","SUSE-SU-2025:0244-1","SUSE-SU-2025:0248-1","SUSE-SU-2025:0249-1","SUSE-SU-2025:0251-1","SUSE-SU-2025:0252-1","SUSE-SU-2025:0253-1","SUSE-SU-2025:0254-1","SUSE-SU-2025:0260-1","SUSE-SU-2025:0261-1","SUSE-SU-2025:0264-1","SUSE-SU-2025:0266-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26923.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"},{"type":"WEB","url":"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26923.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26923"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9"},{"fixed":"a36ae0ec2353015f0f6762e59f4c2dbc0c906423"},{"fixed":"343c5372d5e17b306db5f8f3c895539b06e3177f"},{"fixed":"2e2a03787f4f0abc0072350654ab0ef3324d9db3"},{"fixed":"e76c2678228f6aec74b305ae30c9374cc2f28a51"},{"fixed":"b75722be422c276b699200de90527d01c602ea7c"},{"fixed":"507cc232ffe53a352847893f8177d276c3b532a9"},{"fixed":"dbdf7bec5c920200077d693193f989cb1513f009"},{"fixed":"47d8ac011fe1c9251070e1bd64cb10b48193ec51"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26923.json"}}],"schema_version":"1.7.5"}