GHSA-q6v9-43v5-jv9q

Source

https://github.com/advisories/GHSA-q6v9-43v5-jv9q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q6v9-43v5-jv9q/GHSA-q6v9-43v5-jv9q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q6v9-43v5-jv9q

Aliases

CVE-2026-54778

Published

2026-06-19T20:46:58Z

Modified

2026-06-19T21:00:15.945644078Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator

Summary

CoreWCF: UnixDomainSocket Non-Reentrant POSIX Identity Resolution

Details

Impact

Race condition in POSIX peer identity resolution may attribute one connection’s identity to another (getpwuid/getgrgid non-reentrant) and may crash the host process under contention.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Restrict UDS filesystem permissions so that only trusted local users can connect to the socket path. The race still exists but the attacker pool is constrained.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-19T20:46:58Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-362",
        "CWE-825"
    ]
}

References

Affected packages

NuGet / CoreWCF.UnixDomainSocket

Package

Name: CoreWCF.UnixDomainSocket; View open source insights on deps.dev
Purl: pkg:nuget/CoreWCF.UnixDomainSocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1

Affected versions

1.*

1.5.0-preview1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q6v9-43v5-jv9q/GHSA-q6v9-43v5-jv9q.json"