CVE-2026-46214 - Vulnerability Details

- vsock/virtio: fix accept queue count leak on transport mismatch

Description

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix accept queue count leak on transport mismatch

virtio_transport_recv_listen() calls sk_acceptq_added() before
vsock_assign_transport(). If vsock_assign_transport() fails or
selects a different transport, the error path returns without
calling sk_acceptq_removed(), permanently incrementing
sk_ack_backlog.

After approximately backlog+1 such failures, sk_acceptq_is_full()
returns true, causing the listener to reject all new connections.

Fix by moving sk_acceptq_added() to after the transport validation,
matching the pattern used by vmci_transport and hyperv_transport.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a flaw in the vsock/virtio transport brings about an accept queue count leak. The function that registers a new socket is invoked before the transport type is verified, causing a permanent backlog increment when the transport assignment later fails or switches. As a result, the backlog grows unchecked, and once it surpasses the limit the listener refuses all additional connections, effectively crippling connectivity for that socket. The vulnerability exposes a denial‑of‑service condition tied to resource exhaustion in the kernel.

Affected Systems

All Linux kernel installations that have not been updated to include the described commit are vulnerable. The issue originates in the vsock/virtio module, so any system using that transport layer—common in virtualized environments—could be impacted.

Risk and Exploitability

The flaw grants a denial‑of‑service without requiring elevated privileges, though it necessitates an ability to trigger connection attempts that fail transport validation. Because the backlog increment is persistent, repeated failures will lock the listener. The CVSS score of 5.5 indicates a medium‑severity risk, and the EPSS score of < 1% suggests a low likelihood of exploitation. However, the potential to disrupt services in environments that rely on vsock connections makes it a high‑priority target for attackers. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< fd51e810affa38d735d04261e673b2a5fe9c8665
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< f66c7904fb6f0e420a654bc90909e64a25d00896
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 65c484726e74013a2ec7ba67a34d87760ae8f390
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 29371f3cc83e2a92265b4768014a30b80234112f
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< e9edf9893cf26d060705c910a9b62d8cc96ed56a
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 6d3275fc4ed968938e1d556c344798046776668d
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 52bcb57a4e8a0865a76c587c2451906342ae1b2d

Linux

affected

Version	Status	Constraints
`5.5`	affected	—
`0`	unaffected	< 5.5
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,65c484726e74013a2ec7ba67a34d87760ae8f390)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,29371f3cc83e2a92265b4768014a30b80234112f)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,e9edf9893cf26d060705c910a9b62d8cc96ed56a)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,6d3275fc4ed968938e1d556c344798046776668d)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,52bcb57a4e8a0865a76c587c2451906342ae1b2d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.5`	affected	semver	—
`[0,5.5)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that contains the fix, or back‑port the patch from the commit history.
Verify that the kernel configuration enables the vsock/virtio module and that no legacy transport drivers remain that could trigger the path.
Monitor socket backlog metrics and, if patching cannot occur immediately, temporarily reduce the maximum backlog size for vsock sockets to limit the impact of the leak.

Generated by OpenCVE AI on June 10, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f
https://git.kernel.org/stable/c/2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f
https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d
https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390
https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d
https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a
https://git.kernel.org/stable/c/f66c7904fb6f0e420a654bc90909e64a25d00896
https://git.kernel.org/stable/c/fd51e810affa38d735d04261e673b2a5fe9c8665
https://lore.kernel.org/linux-cve-announce/2026052835-CVE-2026-46214-9b8d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46214
https://www.cve.org/CVERecord?id=CVE-2026-46214

History

Wed, 10 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f https://git.kernel.org/stable/c/f66c7904fb6f0e420a654bc90909e64a25d00896 https://git.kernel.org/stable/c/fd51e810affa38d735d04261e673b2a5fe9c8665

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026052835-CVE-2026-46214-9b8d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46214 https://www.cve.org/CVERecord?id=CVE-2026-46214
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-668

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix accept queue count leak on transport mismatch virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.
Title		vsock/virtio: fix accept queue count leak on transport mismatch
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390 https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:31.245Z

Updated: 2026-06-14T18:03:15.809Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46214

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:37.050

Modified: 2026-06-10T19:16:17.400

Link: CVE-2026-46214

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46214 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T20:45:40Z

Weaknesses

CWE-668
Exposure of Resource to Wrong Sphere
CWE-911
Improper Update of Reference Count
NVD-CWE-Other

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object