Medium

Linux kernel af_unix garbage collection race with MSG_PEEK

IdentifiersCVE-2026-23394CWE-362· Concurrent Execution using Shared…

CVE-2026-23394 is a race condition in the Linux kernel AF_UNIX subsystem's garbage-collection logic. In af_unix, the garbage collector can incorrectly conclude that a socket strongly connected component (SCC) is dead when a concurrent recv() using MSG_PEEK temporarily increments a file reference count without properly synchronizing with garbage collection. The bug was reintroduced after earlier fixes when locking previously used in unix_peek_fds() was removed following changes to the GC algorithm. In the reported scenario, one socket in an SCC is closed but still reachable via another socket's receive queue; a concurrent MSG_PEEK on that queue bumps the referenced socket's file refcount, and a subsequent close() on the peer socket changes refcounts while GC is evaluating unix_vertex_dead() for both sockets. Because GC does not observe the MSG_PEEK refcount transition in time, it can misclassify both sockets as dead and purge the receive queue of a still-live socket. The fix uses seqcount_t and memory-ordering to signal MSG_PEEK interference so GC abandons collection of the SCC and defers it to a later run.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering can cause the AF_UNIX garbage collector to purge the receive queue of a live socket, resulting in loss of queued socket state/data and denial of service for affected local IPC paths. The issue is a kernel integrity and availability problem rather than a direct code-execution primitive based on the provided information.

Mitigation

If you can’t patch tonight, do this now.

Until patched kernels are deployed, reduce exposure by limiting untrusted local code execution on affected systems, since exploitation requires local interaction with AF_UNIX sockets and precise timing between MSG_PEEK, close(), and garbage collection. There is no specific configuration-only mitigation described in the provided content.

Remediation

Patch, then assume compromise.

Apply the upstream Linux kernel fix for CVE-2026-23394. The remediation changes af_unix garbage collection so that if MSG_PEEK interference is detected during dead-SCC evaluation, GC gives up collecting that SCC and defers it to a subsequent run. Downstream vendors should backport the fix to affected kernel branches.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

google security research pull requestsNews

May 13, 2026

Add kernelCTF CVE-2026-23394_lts_cos by sysroot314 · Pull Request #381 · google/security-research · GitHub

The content references CVE-2026-23394 in the context of a kernelCTF-related conversation, but does not provide substantive details about the vulnerability itself.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23394

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23394

MITRE CWE · CWE-362

Concurrent Execution using Shared Resource…

Patch

git.kernel.org/stable/c/37dd7ab332396eb8dd80b2dc7ea4b61abf767436

Patch

git.kernel.org/stable/c/72cf49ad50c16270b52bc512d9c2df5743922968

Patch

git.kernel.org/stable/c/e5b31d988a41549037b8d8721a3c3cae893d8670

git.kernel.org

git.kernel.org/stable/c/3106f326f67c03dd9da4ca64663d11e40138cf40

git.kernel.org

git.kernel.org/stable/c/e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202