CVE-2026-31673

Summary

In the Linux kernel, the following vulnerability has been resolved:

af_unix: read UNIX_DIAG_VFS data under unix_state_lock

Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking.

Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock.

This keeps the VFS data stable while the reply is being built.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < e7339db13b9ddb63417b12da55fd6191e59f7442affected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < 4f6a8f10182c3a9d22e8eb183957ae7ade9e4bf7affected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < c3ec44ab4526bbc4b6c9fc845af86488244f4c9baffected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < b9232421a77a649c9376c99fdfc8cb7f79cad34caffected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < 0c739f3785f84af695952c2bac8be2f45082c9b8affected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < 900a4e0910e98b8caef117d5df00471fa438dcf9affected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < bdf206e740bf2919d818f132c8c9cc7ed91d11c0affected
LinuxLinux5f7b0569460b7d8d01ca776430a00505a68b7584 < 39897df386376912d561d4946499379effa1e7efaffected
LinuxLinux3.3affected
LinuxLinux0 < 3.3unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References