CVE-2026-23057
Unknown Unknown - Not Provided
Use-After-Free in Linux Kernel vsock/virtio Causes Data Loss

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23057
EUVD
EUVD-2026-5487
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's vsock/virtio component, specifically in how it handles coalescing buffers in the receive (rx) queue. The system tries to join a linear socket buffer (skb) with spare tail room to a small skb if it meets certain size criteria. However, with the introduction of MSG_ZEROCOPY support, the assumption that a small skb is always linear is incorrect. In cases involving zerocopy, data can be lost and the linear skb may be appended with uninitialized kernel memory, leading to potential memory corruption or data leakage.

Only the loopback-transport among the three supported virtio-based transports is affected by this issue. The fix ensures that only linear skbs are coalesced, preventing the problem by verifying that the last skb has tailroom, which guarantees linearity.


How can this vulnerability impact me? :

This vulnerability can lead to data loss and the inclusion of uninitialized kernel memory in network buffers. This may cause memory corruption or leakage of sensitive kernel memory contents, potentially compromising system stability and security.

Since it affects only the loopback transport in virtio-based communication, the impact is limited to local inter-process communication using this transport method. However, exploitation could still lead to unexpected behavior or exposure of sensitive information within the kernel memory.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by ensuring that only linear skbs are coalesced in the vsock/virtio code of the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Specifically, the fix ensures that skb_tailroom(last_skb) > 0 guarantees last_skb is linear, preventing data loss and uninitialized kernel memory exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart