CVE-2024-38596

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.9-rc7

Description A data-race condition has been identified in the af unix component of the Linux kernel. This issue occurs because the write function unix release sock() atomically writes to sk->sk shutdown using WRITE ONCE, but the reader side, unix stream sendmsg(), does not read it atomically. This can cause a KCSAN splat to occur, indicating a data-race in unix release sock and unix stream sendmsg. The issue is related to the unix stream sendmsg() function not being protected by unix state lock(), unlike other reads.

Recommendations To resolve this issue, update the Linux kernel to version 6.9-rc7 or later. As a temporary workaround, consider disabling the unix stream sendmsg() function until a patch is available. Restrict access to the vulnerable af unix module to minimize the risk of exploitation. Avoid using the sk->sk shutdown variable in the affected API endpoints until the issue is resolved. At the moment, there is no information about additional mitigation measures.