Description
In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting

virtio_transport_init_zcopy_skb() uses iter->count as the size argument
for msg_zerocopy_realloc(), which in turn passes it to
mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this
function is called after virtio_transport_fill_skb() has already consumed
the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count
will be 0, skipping the RLIMIT_MEMLOCK enforcement.

Pass pkt_len (the total bytes being sent) as an explicit parameter to
virtio_transport_init_zcopy_skb() instead of reading the already-consumed
iter->count.

This matches TCP and UDP, which both call msg_zerocopy_realloc() with
the original message size.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in virtio transport zero‑copy path causes the pinned‑page accounting function to use a zero count after the iterator has been consumed, so RLIMIT_MEMLOCK enforcement is skipped for the final skb. An attacker can therefore allocate more pinned memory than permitted, potentially enabling memory exhaustion or a denial of service. The weakness is an improper resource‑management error that bypasses kernel limits.

Affected Systems

All Linux kernel versions that do not include the commit that patches virtio_transport_init_zcopy_skb. The specific kernel releases affected are not listed in the CVE data, so any kernel prior to the fix is potentially vulnerable.

Risk and Exploitability

The vulnerability does not provide a publicly documented active exploit, and its EPSS score is < 1%. The CVSS score is 5.5, indicating moderate severity. Because it bypasses a system resource limit, its risk is moderate to high in environments where privileged or untrusted guests can rely on vsock/virtio zero‑copy messaging. The attack vector is inferred to be local or confined to the virtual machine ecosystem; no public data indicates.

Generated by OpenCVE AI on June 26, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the virtio_transport_init_zcopy_skb patch.
  • Adjust RLIMIT_MEMLOCK settings through/security/limits.conf or ulimit to limit memory locks for users that do not require them.
  • If an update cannot be applied immediately, disable the system to avoid using vsock/virtio zero‑copy.

Generated by OpenCVE AI on June 26, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement. Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count. This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.
Title vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:07.360Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52994

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52994 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:00:07Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count