CVE-2026-31673
Description
In the Linux kernel, the following vulnerability has been resolved:
af_unix: read UNIX_DIAG_VFS data under unix_state_lock
Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking.
Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock.
This keeps the VFS data stable while the reply is being built.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's af_unix diag interface could cause use-after-free when reading VFS data without proper locking, fixed by reading under unix_state_lock.
Vulnerability
A race condition exists in the Linux kernel's UNIX domain socket diagnostics (af_unix) code. When building a UNIX_DIAG_VFS netlink attribute, the code reads the inode and device numbers from the socket's path without holding the unix_state_lock. Meanwhile, unix_release_sock() clears u->path under that lock and drops the path reference after unlocking. This creates a window where the path data could be freed or changed while being read, leading to a use-after-free or reading stale data.
Exploitation
Exploitation requires the ability to trigger a UNIX domain socket diag lookup (e.g., via netlink) while concurrently closing the socket. An attacker with local access and the ability to send netlink messages (CAP_NET_ADMIN or within a user namespace) could race the diag request with a close operation on the same socket. The race window is small but potentially exploitable.
Impact
The impact is a use-after-free or reading freed memory, which could lead to information disclosure or potentially privilege escalation. The CVSS score of 7.8 (High) reflects the local attack vector and high impact on confidentiality, integrity, and availability.
Mitigation
The fix was applied in the Linux kernel stable tree, with commits backported to various stable versions. Users should update to a kernel containing the fix. The specific commit referenced is [1] (and backports [2], [3], [4]).
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9(expand)+ 8 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.3,<6.6.136
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0c739f3785f84af695952c2bac8be2f45082c9b8nvdPatch
- git.kernel.org/stable/c/39897df386376912d561d4946499379effa1e7efnvdPatch
- git.kernel.org/stable/c/900a4e0910e98b8caef117d5df00471fa438dcf9nvdPatch
- git.kernel.org/stable/c/b9232421a77a649c9376c99fdfc8cb7f79cad34cnvdPatch
- git.kernel.org/stable/c/bdf206e740bf2919d818f132c8c9cc7ed91d11c0nvdPatch
News mentions
0No linked articles in our index yet.