{ "dataType": "CVE_RECORD", "cveMetadata": { "cveId": "CVE-2024-26923", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.194Z", "datePublished": "2024-04-24T21:49:22.001Z", "dateUpdated": "2026-05-12T11:50:40.454Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:06:59.719Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/unix/garbage.c" ], "versions": [ { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "a36ae0ec2353015f0f6762e59f4c2dbc0c906423", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "343c5372d5e17b306db5f8f3c895539b06e3177f", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "2e2a03787f4f0abc0072350654ab0ef3324d9db3", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "e76c2678228f6aec74b305ae30c9374cc2f28a51", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "b75722be422c276b699200de90527d01c602ea7c", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "507cc232ffe53a352847893f8177d276c3b532a9", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "dbdf7bec5c920200077d693193f989cb1513f009", "status": "affected", "versionType": "git" }, { "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9", "lessThan": "47d8ac011fe1c9251070e1bd64cb10b48193ec51", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/unix/garbage.c" ], "versions": [ { "version": "2.6.23", "status": "affected" }, { "version": "0", "lessThan": "2.6.23", "status": "unaffected", "versionType": "semver" }, { "version": "4.19.314", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.4.275", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.216", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.156", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.87", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.28", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.8.7", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "4.19.314" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.4.275" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.10.216" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.15.156" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.1.87" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.6.28" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.8.7" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.9" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423" }, { "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f" }, { "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3" }, { "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51" }, { "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c" }, { "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9" }, { "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009" }, { "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51" } ], "title": "af_unix: Fix garbage collector racing against connect()", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2024-07-02T00:00:00+00:00", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-26923" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T19:34:43.753Z" } }, { "providerMetadata": { "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.612Z" }, "title": "CVE Program Container", "references": [ { "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51", "tags": [ "x_transferred" ] }, { "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": [ "x_transferred" ] }, { "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": [ "x_transferred" ] } ] }, { "x_adpType": "supplier", "providerMetadata": { "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-05-12T11:50:40.454Z" }, "affected": [ { "vendor": "Siemens", "product": "RUGGEDCOM RST2428P", "versions": [ { "status": "affected", "version": "0", "lessThan": "V3.1", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family", "versions": [ { "status": "unaffected", "version": "0", "lessThan": "*", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family", "versions": [ { "status": "affected", "version": "0", "lessThan": "V3.1", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem", "versions": [ { "status": "affected", "version": "0", "lessThan": "*", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP", "versions": [ { "status": "affected", "version": "V3.1.0", "lessThan": "V3.1.5", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP", "versions": [ { "status": "affected", "version": "V3.1.0", "lessThan": "V3.1.5", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP", "versions": [ { "status": "affected", "version": "V3.1.0", "lessThan": "V3.1.5", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP", "versions": [ { "status": "affected", "version": "V3.1.0", "lessThan": "V3.1.5", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "vendor": "Siemens", "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP", "versions": [ { "status": "affected", "version": "V3.1.0", "lessThan": "V3.1.5", "versionType": "custom" } ], "defaultStatus": "unknown" } ], "references": [ { "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html" }, { "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html" }, { "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html" } ] } ] }, "dataVersion": "5.2" }