HOMEVULNERABILITIESCVE-2026-23394
NONE

CVE-2026-23394

Published: March 25, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Give up GC if MSG_PEEK intervened.

Igor Ushakov reported that GC purged the receive queue of

an alive socket due to a race with MSG_PEEK with a nice repro.

This is the exact same issue previously fixed by commit

cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").

After GC was replaced with the current algorithm, the cited

commit removed the locking dance in unix_peek_fds() and

reintroduced the same issue.

The problem is that MSG_PEEK bumps a file refcount without

interacting with GC.

Consider an SCC containing sk-A and sk-B, where sk-A is

close()d but can be recv()ed via sk-B.

The bad thing happens if sk-A is recv()ed with MSG_PEEK from

sk-B and sk-B is close()d while GC is checking unix_vertex_dead()

for sk-A and sk-B.

GC thread User thread

--------- -----------

unix_vertex_dead(sk-A)

-> true <------.

\

`------ recv(sk-B, MSG_PEEK)

invalidate !! -> sk-A's file refcount : 1 -> 2

close(sk-B)

-> sk-B's file refcount : 2 -> 1

unix_vertex_dead(sk-B)

-> true

Initially, sk-A's file refcount is 1 by the inflight fd in sk-B

recvq. GC thinks sk-A is dead because the file refcount is the

same as the number of its inflight fds.

However, sk-A's file refcount is bumped silently by MSG_PEEK,

which invalidates the previous evaluation.

At this moment, sk-B's file refcount is 2; one by the open fd,

and one by the inflight fd in sk-A. The subsequent close()

releases one refcount by the former.

Finally, GC incorrectly concludes that both sk-A and sk-B are dead.

One option is to restore the locking dance in unix_peek_fds(),

but we can resolve this more elegantly thanks to the new algorithm.

The point is that the issue does not occur without the subsequent

close() and we actually do not need to synchronise MSG_PEEK with

the dead SCC detection.

When the issue occurs, close() and GC touch the same file refcount.

If GC sees the refcount being decremented by close(), it can just

give up garbage-collecting the SCC.

Therefore, we only need to signal the race during MSG_PEEK with

a proper memory barrier to make it visible to the GC.

Let's use seqcount_t to notify GC when MSG_PEEK occurs and let

it defer the SCC to the next run.

This way no locking is needed on the MSG_PEEK side, and we can

avoid imposing a penalty on every MSG_PEEK unnecessarily.

Note that we can retry within unix_scc_dead() if MSG_PEEK is

detected, but we do not do so to avoid hung task splat from

abusive MSG_PEEK calls.

NVD Source

Technical Analysis

CVE-2026-23394 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-23394
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23394 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.