In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.

A flaw was found in the Linux kernel. A race condition in the `af_unix` component allows a local attacker to cause unstable Virtual File System (VFS) data when `UNIX_DIAG_VFS` data is handled. This occurs because inode and device numbers are read without consistently holding the `unix_state_lock()`, while `u->path` can be cleared. This instability could lead to information disclosure or a denial of service.

`UNIX_DIAG_VFS` dumps now run under `unix_state_lock`, closing races with concurrent unlink/bind. Red Hat treats this as a local diagnostics race in AF_UNIX. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31673 https://nvd.nist.gov/vuln/detail/CVE-2026-31673 https://lore.kernel.org/linux-cve-announce/2026042539-CVE-2026-31673-b5f6@gregkh/T