CVE-2026-52994
Received Received - Intake
vsock/virtio Zero-Copy Memory Accounting Bypass

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement. Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count. This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52994
EUVD
EUVD-2026-38862
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's vsock/virtio component related to zero-copy message handling. Specifically, the function virtio_transport_init_zcopy_skb() incorrectly uses an iterator's count value as the size argument for memory accounting in msg_zerocopy_realloc(). Because the iterator has already been consumed earlier in the process, the count becomes zero on the last socket buffer (skb), causing the memory lock limit (RLIMIT_MEMLOCK) enforcement to be skipped. This means that the system does not properly account for pinned pages, potentially allowing more memory to be locked than intended.

The fix involves passing the total packet length explicitly to virtio_transport_init_zcopy_skb() instead of relying on the consumed iterator count, aligning the behavior with TCP and UDP implementations.

Impact Analysis

This vulnerability can lead to improper enforcement of memory locking limits (RLIMIT_MEMLOCK) in the Linux kernel when using vsock/virtio zero-copy messaging. As a result, an attacker or a process could potentially lock more memory pages than allowed, which might lead to resource exhaustion or denial of service conditions by exhausting system memory resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart