Description
In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix potential underflow in virtio_transport_get_credit()

The credit calculation in virtio_transport_get_credit() uses unsigned
arithmetic:

ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);

If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes
are in flight, the subtraction can underflow and produce a large
positive value, potentially allowing more data to be queued than the
peer can handle.

Reuse virtio_transport_has_space() which already handles this case and
add a comment to make it clear why we are doing that.

[Stefano: use virtio_transport_has_space() instead of duplicating the code]
[Stefano: tweak the commit message]
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential buffer overflow caused by unsigned underflow in virtio_transport_get_credit
Action: Patch immediately
AI Analysis

Impact

The crash originates from unsigned arithmetic in the function virtio_transport_get_credit within the Linux kernel’s virtio vsock subsystem. The calculation uses the peer’s advertised buffer size and subtracts the number of queued bytes, which can underflow if the peer reduces its buffer while bytes are still in flight. The resulting large positive value allows more data to be queued than the peer can safely handle, potentially overflowing the peer’s buffer and leading to memory corruption or a denial of service.

Affected Systems

All Linux kernel implementations that expose the virtio vsock interface are affected, including the 6.19 release candidates referenced in the reported CPEs. Any distribution that ships the default virtio vsock driver with the vulnerable implementation is at risk.

Risk and Exploitability

The CVSS score of 5.5 denotes medium severity, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not present in the CISA KeV catalog. Exploitation would require an attacker able to influence the virtio communication path—typically a guest or host with access to the virtualization environment—making it a local or privileged scenario rather than a remote code execution attack.

Generated by OpenCVE AI on April 18, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the virtio_transport_get_credit fix
  • If a kernel upgrade is not feasible in your environment, disable the virtio vsock device or restrict guest traffic to prevent the vulnerable credit calculation from being invoked
  • For custom or embedded Linux builds, apply the upstream patch that replaces the underflowing arithmetic with virtio_transport_has_space() or otherwise validate buffer limits before sending

Generated by OpenCVE AI on April 18, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
History

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message]
Title vsock/virtio: fix potential underflow in virtio_transport_get_credit()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:08.392Z

Reserved: 2026-01-13T15:37:45.954Z

Link: CVE-2026-23069

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:17.610

Modified: 2026-03-13T21:27:26.643

Link: CVE-2026-23069

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23069 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses