Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Linux kernel af_unix stale oob_skb handling in OOB data path

IdentifiersCVE-2024-35970CWE-664

CVE-2024-35970 is a Linux kernel vulnerability in the AF_UNIX socket subsystem's out-of-band (OOB) data handling. The bug is in the logic described as manage_oob(), where recvmsg() invoked without MSG_OOB checks whether the next skb is marked as OOB. When such an OOB skb is dequeued from the receive queue, the kernel fails to clear unix_sock(sk)->oob_skb, leaving a stale pointer/state reference behind. The issue has existed since the introduction of AF_UNIX OOB support and was exposed more clearly after later garbage-collection changes. In affected scenarios, a UNIX domain socket can send its own file descriptor as OOB data via SCM_RIGHTS, then trigger asynchronous close and garbage collection paths. Because the stale oob_skb state is retained after dequeue, the socket state becomes inconsistent with the receive queue contents, leading to incorrect OOB semantics, persistent EPOLLPRI signaling, and interaction with AF_UNIX garbage collection that can result in deadlock or unreclaimed garbage.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering can cause denial of service in the kernel AF_UNIX subsystem. Reported effects include deadlock involving unix_gc_lock during garbage collection, incorrect poll behavior with EPOLLPRI continuously asserted after OOB data has already been consumed or skipped, and memory/resource leakage where garbage remains linked on the global inflight list and is not freed. The vulnerability does not, from the provided content, establish code execution or privilege escalation; the demonstrated impact is kernel-side availability degradation and resource retention.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce exposure by limiting untrusted local code execution on affected systems, since exploitation requires the ability to create and manipulate AF_UNIX socketpairs and exercise OOB/SCM_RIGHTS behavior locally. Where practical, constrain unprivileged local workloads with sandboxing or container policies that restrict access to vulnerable kernel attack surface. No complete mitigation short of patching is provided in the content.

Remediation

Patch, then assume compromise.

Apply the upstream Linux kernel fix that clears unix_sock(sk)->oob_skb when the OOB skb is dequeued from the receive queue in the AF_UNIX OOB handling path. Downstream consumers should update to a kernel release containing the fix for CVE-2024-35970 or backport the patch into supported kernels.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-35970
NVD
nvd.nist.gov/vuln/detail/CVE-2024-35970
MITRE CWE · CWE-664
cwe.mitre.org
Patch
git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6
Patch
git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf
Patch
git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9
Patch
git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e
Patch
git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153