VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54226

CVE-2023-54226

Description

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix data races around sk->sk_shutdown.

KCSAN found a data race around sk->sk_shutdown where unix_release_sock() and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() and unix_dgram_poll() read it locklessly.

We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE().

BUG: KCSAN: data-race in unix_poll / unix_release_sock

write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 unix_release+0x59/0x80 net/unix/af_unix.c:1042 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1397 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc

read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 sock_poll+0xcf/0x2b0 net/socket.c:1385 vfs_poll include/linux/poll.h:88 [inline] ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 ep_send_events fs/eventpoll.c:1694 [inline] ep_poll fs/eventpoll.c:1823 [inline] do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc

value changed: 0x00 -> 0x03

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A data race in the Linux kernel's AF_UNIX socket shutdown handling can lead to incorrect poll results, potentially causing denial of service.

Vulnerability

Description

CVE-2023-54226 is a data race condition in the Linux kernel's AF_UNIX (Unix domain socket) implementation. The race occurs around the sk->sk_shutdown field, which is used to track the shutdown state of a socket. The Kernel Concurrency Sanitizer (KCSAN) detected that unix_release_sock() and unix_shutdown() update this field while holding the unix_state_lock, but unix_poll() and unix_dgram_poll() read it without any locking. This lack of synchronization can lead to inconsistent reads of the shutdown state.

Exploitation

An attacker can exploit this vulnerability by triggering a race condition between a socket release or shutdown operation and a poll operation on the same socket. This is achievable through normal system calls, such as close() or shutdown() on one thread, while another thread performs poll() or epoll_wait() on the same socket. The race window is small, but an attacker with local access to the system can repeatedly attempt to trigger it. No special privileges are required beyond the ability to create and manipulate Unix domain sockets.

Impact

Successful exploitation can cause unix_poll() or unix_dgram_poll() to read an outdated or partially updated sk->sk_shutdown value. This may result in the poll system call returning incorrect events, such as indicating that a socket is readable or writable when it is actually shut down, or vice versa. This can lead to unexpected behavior in applications relying on poll for I/O multiplexing, potentially causing a denial of service (DoS) by making them hang, crash, or behave incorrectly. The vulnerability does not directly allow arbitrary code execution or privilege escalation.

Mitigation

The fix involves annotating the writes and reads of sk->sk_shutdown with WRITE_ONCE() and READ_ONCE() to ensure atomic and properly ordered access. The patch has been applied to the Linux kernel stable trees, as seen in commits [1], [2], [2], and [3]. Users should update their kernels to versions containing the fix to mitigate this issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

7
1c488f4e95b4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
196528ad4844
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8307e372e744
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a41559ae3681
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e410895892f9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f237f79b63c9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e1d09c2c2f57
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

7

News mentions

0

No linked articles in our index yet.