HIGH
af_unix Diag Race
CVE-2026-31673
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a race condition in Unix socket diagnostics that may leak kernel memory contents. The vulnerability occurs when reading VFS information from Unix sockets without proper locking, potentially exposing sensitive kernel data structures.
Vulnerability analysis
The root cause is a Time-of-Check-Time-of-Use (TOCTOU) race in sk_diag_dump_vfs() where u->path.dentry is accessed without holding unix_state_lock(). The unix_release_sock() function clears u->path under the lock but drops the path reference after unlocking, creating a window where the dentry pointer becomes stale. An attacker can trigger concurrent socket operations to cause the diagnostic code to read freed memory, potentially leaking kernel addresses or other sensitive data. The fix moves the VFS data reading inside the critical section protected by unix_state_lock(), ensuring the path remains stable during access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.83 | 0c739f3785f8 |
| 6.18 | 6.18.24 | 900a4e0910e9 |
| 6.19 | 6.19.14 | bdf206e740bf |
| 6.6 | 6.6.136 | b9232421a77a |
| mainline | 7.0 | 39897df38637 |