Description
In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: Coalesce only linear skb

vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb
(with a spare tail room) is followed by a small skb (length limited by
GOOD_COPY_LEN = 128), an attempt is made to join them.

Since the introduction of MSG_ZEROCOPY support, assumption that a small skb
will always be linear is incorrect. In the zerocopy case, data is lost and
the linear skb is appended with uninitialized kernel memory.

Of all 3 supported virtio-based transports, only loopback-transport is
affected. G2H virtio-transport rx queue operates on explicitly linear skbs;
see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G
vhost-transport may allocate non-linear skbs, but only for sizes that are
not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in
virtio_vsock_alloc_skb().

Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0
guarantees last_skb is linear.
Published: 2026-02-04
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Integrity Compromise
Action: Patch
AI Analysis

Impact

The Linux kernel's vsock/virtio subsystem was found to incorrectly merge small receive buffers under certain zero‑copy conditions, which can cause a linear socket buffer to be appended with uninitialized kernel memory, leading to data loss and potential corruption of kernel memory and compromising the integrity of data processed by the vsock transport.

Affected Systems

The flaw affects the loopback‑based vsock/virtio transport in Linux kernel implementations; it does not impact the g2h transport, which always allocates linear buffers, nor the h2g vhost channel, which avoids small non‑linear buffers. Because specific kernel version information is not provided, users should verify that their current kernel includes the fix that introduces safe handling of skb coalescence.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.0 and an EPSS exploitation probability of less than 1 %, and it has not been listed in the CISA Known Exploited Vulnerabilities catalog. The attack surface resides in kernel space, requiring interaction with the vsock/virtio loopback interface; although rare, an attacker could trigger repeated mis‑coalescence to corrupt kernel memory, potentially enabling privilege escalation or system crash.

Generated by OpenCVE AI on April 17, 2026 at 23:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the vsock zero‑copy buffer coalescence fix.
  • If updating is not possible, disable MSG_ZEROCOPY for the vsock/virtio loopback transport by building the kernel with the option turned off or by setting the appropriate runtime parameter.
  • Continuously monitor system logs and application behavior for anomalous vsock activity or kernel panics, and disable the loopback vsock transport if it is not needed.

Generated by OpenCVE AI on April 17, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6126-1 linux security update
History

Sat, 18 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-457

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear.
Title vsock/virtio: Coalesce only linear skb
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:55.428Z

Reserved: 2026-01-13T15:37:45.951Z

Link: CVE-2026-23057

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-04T17:16:16.380

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23057

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23057 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses