Home

Description

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-04 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

581512a6dc939ef122e49336626ae159f3b8a345 (git) before 568e9cd8ed7ca9bf748c7687ba6501f29d30e59f
affected

581512a6dc939ef122e49336626ae159f3b8a345 (git) before 63ef9b300bd09e24c57050c5dbe68feedce42e72
affected

581512a6dc939ef122e49336626ae159f3b8a345 (git) before 0386bd321d0f95d041a7b3d7b07643411b044a96
affected

Default status
affected

6.7
affected

Any version before 6.7
unaffected

6.12.68 (semver)
unaffected

6.18.8 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f

git.kernel.org/...c/63ef9b300bd09e24c57050c5dbe68feedce42e72

git.kernel.org/...c/0386bd321d0f95d041a7b3d7b07643411b044a96

cve.org (CVE-2026-23057)

nvd.nist.gov (CVE-2026-23057)

Download JSON