CVE-2026-52994 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting

virtio_transport_init_zcopy_skb() uses iter->count as the size argument
for msg_zerocopy_realloc(), which in turn passes it to
mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this
function is called after virtio_transport_fill_skb() has already consumed
the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count
will be 0, skipping the RLIMIT_MEMLOCK enforcement.

Pass pkt_len (the total bytes being sent) as an explicit parameter to
virtio_transport_init_zcopy_skb() instead of reading the already-consumed
iter->count.

This matches TCP and UDP, which both call msg_zerocopy_realloc() with
the original message size.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel’s virtio transport zero‑copy path causes the pinned‑page accounting function to use a zero count after the iterator has been consumed, so RLIMIT_MEMLOCK enforcement is skipped for the final skb. An attacker can therefore allocate more pinned memory than permitted, potentially enabling memory exhaustion or a denial of service. The weakness is an improper resource‑management error that bypasses kernel limits.

Affected Systems

All Linux kernel versions that do not include the commit that patches virtio_transport_init_zcopy_skb. The specific kernel releases affected are not listed in the CVE data, so any kernel prior to the fix is potentially vulnerable.

Risk and Exploitability

The vulnerability does not provide a publicly documented active exploit, and its EPSS score is not available. Because it bypasses a system resource limit, its risk is moderate to high in environments where privileged or untrusted guests can rely on vsock/virtio zero‑copy messaging. The attack vector is inferred to be local or confined to the virtual machine ecosystem; no public data indicates an external network exploit.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`581512a6dc939ef122e49336626ae159f3b8a345`	affected	< 6af1736b5810bc8a4a43a8518530113f5a757dc1
`581512a6dc939ef122e49336626ae159f3b8a345`	affected	< d0117950075f0a9d5944980784c719d8ebcd4bff
`581512a6dc939ef122e49336626ae159f3b8a345`	affected	< 1cb36e252211506f51095fe7ced8286cc77b4c80

Linux

affected

Version	Status	Constraints
`6.7`	affected	—
`0`	unaffected	< 6.7
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[581512a6dc939ef122e49336626ae159f3b8a345,6af1736b5810bc8a4a43a8518530113f5a757dc1)`	affected	code_commit	—
`[581512a6dc939ef122e49336626ae159f3b8a345,d0117950075f0a9d5944980784c719d8ebcd4bff)`	affected	code_commit	—
`[581512a6dc939ef122e49336626ae159f3b8a345,1cb36e252211506f51095fe7ced8286cc77b4c80)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.7`	affected	generic	—
`[0,6.7)`	unaffected	generic	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,8.0.0)`	unaffected	semver	—
`[7.1, *)`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the virtio_transport_init_zcopy_skb patch.
Adjust RLIMIT_MEMLOCK settings through /etc/security/limits.conf or ulimit to limit memory locks for users that do not require them.
If an update cannot be applied immediately, disable virtio zero‑copy messaging or configure the system to avoid using vsock/virtio zero‑copy.

Generated by OpenCVE AI on June 24, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1cb36e252211506f51095fe7ced8286cc77b4c80
https://git.kernel.org/stable/c/6af1736b5810bc8a4a43a8518530113f5a757dc1
https://git.kernel.org/stable/c/d0117950075f0a9d5944980784c719d8ebcd4bff

History

Wed, 24 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement. Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count. This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.
Title		vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1cb36e252211506f51095fe7ced8286cc77b4c80 https://git.kernel.org/stable/c/6af1736b5810bc8a4a43a8518530113f5a757dc1 https://git.kernel.org/stable/c/d0117950075f0a9d5944980784c719d8ebcd4bff

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:07.360Z

Updated: 2026-06-24T16:29:07.360Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52994

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T22:15:03Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object