CVE-2026-53181 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

vsock/vmci: fix sk_ack_backlog leak on failed handshake

When vmci_transport_recv_connecting_server() returns an error,
vmci_transport_recv_listen() calls vsock_remove_pending() but never
calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
permanently.

Repeated handshake failures (malformed packets, queue pair alloc
failure, event subscribe failure) cause sk_ack_backlog to climb
toward sk_max_ack_backlog. Once it reaches the limit the listener
permanently refuses all new connections with -ECONNREFUSED, a
silent denial of service requiring a process restart to recover.

The two existing sk_acceptq_removed() calls in af_vsock.c do not
cover this path: line 764 checks vsock_is_pending() which returns
false after vsock_remove_pending(), and line 1889 is only reached
on successful accept().

Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
the error path.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel has a resource management flaw in the vsock/VMCI subsystem: when a handshake fails, the sk_ack_backlog counter is not decremented, thereby permanently inflating the backlog. As each failed handshake increments sk_ack_backlog, repeated failures eventually saturate the backlog limit, after which the listener refuses all new connection attempts with a silent ECONNREFUSED error. This denial of service can persist until the system is rebooted or the kernel process is restarted, and it does not affect any user data directly.

Affected Systems

Linux kernels containing the vsock/VMCI implementation before the patch – any deployment that has not applied the recent kernel update that balances sk_acceptq_added and sk_acceptq_removed will be vulnerable.

Risk and Exploitability

An attacker who can generate malformed vsock packets or otherwise force handshake failures – from a guest VM, a privileged process, or network traffic – can gradually drive sk_ack_backlog to its maximum. Because the backlog counter is never reset automatically, the resulting denial of service is irreversible until a reboot. The EPSS score is unavailable, the CVSS score is not disclosed, and the flaw is not listed in the CISA KEV catalog; thus, exploitation is less likely to be observed but the impact is severe if achieved.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< 22c587aa3ab1ab5264daff3ec32136fd30436c13
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< cf7090e255d74c4b61c51f8ede9fcacdd8393b5b
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< ea0b03d52881c12a8c634ea0d6cbfa61cefdb488
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< dfd853197615d322d3a88dbcab91fc0fd2096219
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< bcb275626055df7f8f947f1a349754b4004d9a15
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< ba9ad6015937a5e46ba1a31370e3efdec8abbdcc
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< 9698582a4dd9c4a05889d7db96d4c0edc9e69cac
`d021c344051af91f42c5ba9fdedc176740cbd238`	affected	< c05fa14db43ebef3bd862ca9d073981c0358b3f0

Linux

affected

Version	Status	Constraints
`3.9`	affected	—
`0`	unaffected	< 3.9
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the sk_ack_backlog fix for vsock/VMCI.
If the listener is refusing new connections, restart the kernel or reboot the system to clear the backlog.
In the interim, monitor vsock activity and restrict malformed packet traffic by configuring firewall rules or disabling unnecessary VMCI usage.
If custom kernel modules interact with vsock, ensure they properly balance sk_acceptq_added and sk_acceptq_removed even on error paths to prevent similar leaks.

Generated by OpenCVE AI on June 25, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/22c587aa3ab1ab5264daff3ec32136fd30436c13
https://git.kernel.org/stable/c/9698582a4dd9c4a05889d7db96d4c0edc9e69cac
https://git.kernel.org/stable/c/ba9ad6015937a5e46ba1a31370e3efdec8abbdcc
https://git.kernel.org/stable/c/bcb275626055df7f8f947f1a349754b4004d9a15
https://git.kernel.org/stable/c/c05fa14db43ebef3bd862ca9d073981c0358b3f0
https://git.kernel.org/stable/c/cf7090e255d74c4b61c51f8ede9fcacdd8393b5b
https://git.kernel.org/stable/c/dfd853197615d322d3a88dbcab91fc0fd2096219
https://git.kernel.org/stable/c/ea0b03d52881c12a8c634ea0d6cbfa61cefdb488

History

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: fix sk_ack_backlog leak on failed handshake When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently. Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover. The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept(). Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path.
Title		vsock/vmci: fix sk_ack_backlog leak on failed handshake
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/22c587aa3ab1ab5264daff3ec32136fd30436c13 https://git.kernel.org/stable/c/9698582a4dd9c4a05889d7db96d4c0edc9e69cac https://git.kernel.org/stable/c/ba9ad6015937a5e46ba1a31370e3efdec8abbdcc https://git.kernel.org/stable/c/bcb275626055df7f8f947f1a349754b4004d9a15 https://git.kernel.org/stable/c/c05fa14db43ebef3bd862ca9d073981c0358b3f0 https://git.kernel.org/stable/c/cf7090e255d74c4b61c51f8ede9fcacdd8393b5b https://git.kernel.org/stable/c/dfd853197615d322d3a88dbcab91fc0fd2096219 https://git.kernel.org/stable/c/ea0b03d52881c12a8c634ea0d6cbfa61cefdb488

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:55.994Z

Updated: 2026-06-25T08:38:55.994Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53181

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses

CWE-399

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object