CVE-2024-26732: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26732 addresses a locking vulnerability in the Linux kernel's implementation of setsockopt(SOPEEKOFF). The issue was discovered when syzbot reported a lockdep violation involving afunix support of SOPEEK_OFF. The vulnerability affects Linux kernel versions from 6.7 up to (excluding) 6.7.7, and various release candidates of version 6.8 (rc1 through rc5) (NVD).

The vulnerability stems from unnecessary thread safety enforcement in the kernel's handling of SOPEEKOFF socket option. Since SOPEEKOFF is inherently not thread safe (using a per-socket skpeekoff field), the implementation was creating pointless lock dependencies. The issue manifested as a circular locking dependency between the socket lock (sklock-AFUNIX) and the unix socket's iolock (u->iolock) (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to deadlock conditions in the Linux kernel when applications use the SOPEEKOFF socket option with Unix domain sockets. This could potentially result in system availability issues, as indicated by the high availability impact in the CVSS score (NVD).

The vulnerability has been patched in the Linux kernel. The fix implements a lockless setsockopt(SOPEEKOFF) by removing the unnecessary thread safety enforcement. After the patch, setsockopt(SOPEEKOFF) no longer acquires the socket lock, skbconsumeudp() no longer requires socket lock acquisition, and afunix no longer needs a special version of sksetpeekoff() (Kernel Patch).