CVE-2024-26676

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.8.0

Description A memory leak vulnerability has been identified in the Linux kernel. The issue arises from a lack of MSG OOB handling in the af unix module, resulting in a self-cyclic reference that the garbage collector (GC) fails to resolve. This leads to a memory leak, as the leaked socket remains linked to a global list and cannot be detected by kmemleak. The problem was introduced by a commit that added full SCM support for MSG OOB and has been present since then. To fix the issue, it is necessary to call kfree skb() for the dead unix (sk)->oob skb in GC and set oob skb to NULL before calling kfree skb() to prevent duplicate calls.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, ensure that the kernel version is 6.8.0 or later, as this version includes the necessary patches to address the memory leak. If updating the kernel is not feasible, consider applying the patch manually or using a kernel version that has been patched to include the fix.