CVE-2026-46214 - Vulnerability Details

- vsock/virtio: fix accept queue count leak on transport mismatch

Description

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix accept queue count leak on transport mismatch

virtio_transport_recv_listen() calls sk_acceptq_added() before
vsock_assign_transport(). If vsock_assign_transport() fails or
selects a different transport, the error path returns without
calling sk_acceptq_removed(), permanently incrementing
sk_ack_backlog.

After approximately backlog+1 such failures, sk_acceptq_is_full()
returns true, causing the listener to reject all new connections.

Fix by moving sk_acceptq_added() to after the transport validation,
matching the pattern used by vmci_transport and hyperv_transport.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a flaw in the vsock/virtio transport brings about an accept queue count leak. The function that registers a new socket is invoked before the transport type is verified, causing a permanent backlog increment when the transport assignment later fails or switches. As a result, the backlog grows unchecked, and once it surpasses the limit the listener refuses all additional connections, effectively crippling connectivity for that socket. The vulnerability exposes a denial‑of‑service condition tied to resource exhaustion in the kernel.

Affected Systems

All Linux kernel installations that have not been updated to include the described commit are vulnerable. The issue originates in the vsock/virtio module, so any system using that transport layer—common in virtualized environments—could be impacted.

Risk and Exploitability

The flaw grants a denial‑of‑service without requiring elevated privileges, though it necessitates an ability to trigger connection attempts that fail transport validation. Because the backlog increment is persistent, repeated failures will lock the listener. No public exploit has been cited, and the EPSS score is unavailable, but the potential to disrupt services in environments that rely on vsock connections makes it a high‑priority target for attackers. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 65c484726e74013a2ec7ba67a34d87760ae8f390
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 29371f3cc83e2a92265b4768014a30b80234112f
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< e9edf9893cf26d060705c910a9b62d8cc96ed56a
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 6d3275fc4ed968938e1d556c344798046776668d
`c0cfa2d8a788fcf45df5bf4070ab2474c88d543a`	affected	< 52bcb57a4e8a0865a76c587c2451906342ae1b2d

Linux

affected

Version	Status	Constraints
`5.5`	affected	—
`0`	unaffected	< 5.5
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,65c484726e74013a2ec7ba67a34d87760ae8f390)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,29371f3cc83e2a92265b4768014a30b80234112f)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,e9edf9893cf26d060705c910a9b62d8cc96ed56a)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,6d3275fc4ed968938e1d556c344798046776668d)`	affected	code_commit	—
`[c0cfa2d8a788fcf45df5bf4070ab2474c88d543a,52bcb57a4e8a0865a76c587c2451906342ae1b2d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.5`	affected	semver	—
`[0,5.5)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that contains the fix, or back‑port the patch from the commit history.
Verify that the kernel configuration enables the vsock/virtio module and that no legacy transport drivers remain that could trigger the path.
Monitor socket backlog metrics and, if patching cannot occur immediately, temporarily reduce the maximum backlog size for vsock sockets to limit the impact of the leak.

Generated by OpenCVE AI on May 28, 2026 at 12:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f
https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d
https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390
https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d
https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a

History

Thu, 28 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-668

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix accept queue count leak on transport mismatch virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.
Title		vsock/virtio: fix accept queue count leak on transport mismatch
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390 https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:31.245Z

Updated: 2026-05-28T09:40:31.245Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46214

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:37.050

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46214

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T16:15:03Z

Weaknesses

CWE-668

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object