Description
In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix empty payload in tap skb for non-linear buffers

For non-linear skbs, virtio_transport_build_skb() goes through
virtio_transport_copy_nonlinear_skb() to copy the original payload
in the new skb to be delivered to the vsockmon tap device.
This manually initializes an iov_iter but does not set iov_iter.count.
Since the iov_iter is zero-initialized, the copy length is zero and no
payload is actually copied to the monitor interface, leaving data
un-initialized.

Fix this by removing the linear vs non-linear split and using
skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as
vhost-vsock already does. This handles both linear and non-linear skbs,
properly initializes the iov_iter, and removes the now unused
virtio_transport_copy_nonlinear_skb().

While touching this code, let's also check the return value of
skb_copy_datagram_iter(), even though it's unlikely to fail.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s virtio transport layer contained a logic error where the iov_iter struct used to copy non‑linear socket buffers was zero‑initialized without setting its count field. As a result, the copy operation treated the payload length as zero and transmitted uninitialized data to the vsockmon tap device. This flaw is associated with CWE‑401. While the vulnerability does not grant code execution, it could expose arbitrary kernel memory or corrupt data sent to the monitor interface.

Affected Systems

Any Linux kernel that implements the vsock/virtio driver and exposes a vsockmon tap interface before the commit that unifies the copy logic remains vulnerable. Distribution‑specific kernel packages that have not yet incorporated the fix continue to be affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of <1% implies a low likelihood of exploitation. The flaw is not listed in CISA KEV. It is inferred that an attacker could exploit the issue by sending crafted packets through a vSock channel to a device exposing the tap interface; beyond that, the bug simply results in uninitialized payload data being transmitted, so it does not provide remote code execution but can lead to data leakage or integrity problems.

Generated by OpenCVE AI on June 10, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the commit unifying the copy logic and correctly initializing iov_iter.
  • If vSock functionality is not required, disable the CONFIG_VSOCK option and remove the vsockmon tap device to eliminate the vulnerable code path.
  • Apply any vendor‑supplied patches that add checks for the return value of skb_copy_datagram_iter or otherwise tighten copy handling in the vsock transport layer.

Generated by OpenCVE AI on June 10, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*

Fri, 29 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
CWE-758

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
CWE-758

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix empty payload in tap skb for non-linear buffers For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized. Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb(). While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.
Title vsock/virtio: fix empty payload in tap skb for non-linear buffers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:02:44.626Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:36.340

Modified: 2026-06-10T19:18:14.570

Link: CVE-2026-46207

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46207 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-824

    Access of Uninitialized Pointer