Description
In the Linux kernel, the following vulnerability has been resolved:

af_unix: read UNIX_DIAG_VFS data under unix_state_lock

Exact UNIX diag lookups hold a reference to the socket, but not to
u->path. Meanwhile, unix_release_sock() clears u->path under
unix_state_lock() and drops the path reference after unlocking.

Read the inode and device numbers for UNIX_DIAG_VFS while holding
unix_state_lock(), then emit the netlink attribute after dropping the
lock.

This keeps the VFS data stable while the reply is being built.
Published: 2026-04-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arose in the Linux kernel’s af_unix module, where a diagnostic request could read inode and device numbers of a UNIX socket before the socket’s path reference was released, exposing VFS data. The fix ensures the data is read while the unix_state_lock mutex is held and the netlink reply is constructed only after the lock is released, eliminating the race condition and protecting against data leakage. Based on the description, it is inferred that the race might lead to unstable kernel behavior, though this is not explicitly mentioned.

Affected Systems

All releases of the Linux kernel containing the unfixed af_unix code are affected, as the flaw resides in the core kernel source. The CNA indicates the vendor as Linux:Linux, and no specific version ranges are listed, so every kernel version prior to the patch is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 signals a serious risk, yet the EPSS score of less than 1% suggests that exploitation is unlikely under current conditions, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker with access to the same host could send a netlink diagnostic request to the kernel, potentially exposing VFS metadata. Based on the description, the impact might include confidentiality compromise, but a direct correlation to kernel crashes is not explicitly stated.

Generated by OpenCVE AI on May 6, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system’s kernel to a version that contains the af_unix diagnostic fix and reboot into it.
  • Deny or restrict unprivileged processes from sending netlink diagnostic messages to the af_unix module by applying local security rules (e.g., using SELinux or AppArmor profiles to limit netlink access).
  • If a kernel upgrade is not immediately possible, monitor systems for unusual kernel panics related to socket diagnostics and isolate affected hosts until the patch can be deployed.

Generated by OpenCVE AI on May 6, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.
Title af_unix: read UNIX_DIAG_VFS data under unix_state_lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:25.680Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:00.423

Modified: 2026-05-06T21:36:13.513

Link: CVE-2026-31673

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31673 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses