CVE-2024-38596: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
A data-race condition has been identified in af_unix. In one data path,
the write function unix_release_sock() atomically writes to
sk->sk_shutdown using WRITE_ONCE. However, on the reader side,
unix_stream_sendmsg() does not read it atomically. Consequently, this
issue is causing the following KCSAN splat to occur:
BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg
write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:
unix_release_sock (net/unix/af_unix.c:640)
unix_release (net/unix/af_unix.c:1050)
sock_close (net/socket.c:659 net/socket.c:1421)
__fput (fs/file_table.c:422)
__fput_sync (fs/file_table.c:508)
__se_sys_close (fs/open.c:1559 fs/open.c:1541)
__x64_sys_close (fs/open.c:1541)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:
unix_stream_sendmsg (net/unix/af_unix.c:2273)
__sock_sendmsg (net/socket.c:730 net/socket.c:745)
____sys_sendmsg (net/socket.c:2584)
__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)
__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
value changed: 0x01 -> 0x03
The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7").
Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.")
addressed a comparable issue in the past regarding sk->sk_shutdown.
However, it overlooked resolving this particular data path.
This patch only offending unix_stream_sendmsg() function, since the
other reads seem to be protected by unix_state_lock() as discussed in
Security readout for executives and security teams
Plain-English summary
CVE-2024-38596 is a Linux kernel data-race bug in Unix domain socket handling. The public record describes a concurrency issue found by KCSAN and resolved in kernel stable commits. There is no CVSS score in the bundle and no KEV listing, so business urgency should be driven by kernel exposure and vendor patch status.
Executive priority
Treat this as a kernel hygiene and exposure-management item, not an emergency based on the available evidence. Prioritize internet-facing infrastructure only if local untrusted workloads are present; otherwise fold into the next approved kernel patch cycle.
Technical view
The flaw is in af_unix: unix_release_sock() writes sk->sk_shutdown atomically, while unix_stream_sendmsg() read the same byte without the matching atomic read. The reported race occurs during socket close and sendmsg/sendmmsg paths. Kernel stable commits adjust unix_stream_sendmsg(); other reads were described as protected by unix_state_lock().
Likely exposure
Systems running Linux kernels or downstream products that include the affected af_unix code may be exposed. The bundle lists Linux as affected across multiple kernel lines, but exact distro impact depends on vendor backports and shipped kernel builds.
Exploitation context
No source in the bundle states active exploitation, public weaponization, or KEV inclusion. The evidence shows a kernel concurrency flaw detected by KCSAN and fixed upstream; real-world impact is not quantified in the provided sources.
Researcher notes
The public description is specific about the race location but incomplete on exploitability and impact. Validation should focus on whether the vendor kernel contains the af_unix fix commits or equivalent backports. Avoid assuming privilege escalation or denial of service without additional vendor evidence.
Mitigation direction
Inventory Linux kernel versions across servers, appliances, containers, and embedded products.
Check distribution and vendor advisories for CVE-2024-38596-specific fixed kernel packages.
Prioritize kernel updates where exposed systems process untrusted local workloads.
Review Debian LTS and device vendor advisories for applicable patched builds.
Schedule reboots or live-patching steps according to normal kernel maintenance policy.
Validation and detection
Confirm the running kernel version and vendor package release on each asset.
Map installed kernels to vendor advisories, not only upstream version numbers.
Verify whether upstream stable fixes are included or backported by the vendor.
Track exceptions for appliances or embedded products pending vendor firmware updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-38596 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.