CVE-2026-52994
Awaiting Analysis Awaiting Analysis - Queue

vsock/virtio Zero-Copy Memory Accounting Bypass

Vulnerability report for CVE-2026-52994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-10

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement. Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count. This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-10
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's vsock/virtio component related to zero-copy message handling. Specifically, the function virtio_transport_init_zcopy_skb() incorrectly uses an iterator's count value as the size argument for memory accounting in msg_zerocopy_realloc(). Because the iterator has already been consumed earlier in the process, the count becomes zero on the last socket buffer (skb), causing the memory lock limit (RLIMIT_MEMLOCK) enforcement to be skipped. This means that the system does not properly account for pinned pages, potentially allowing more memory to be locked than intended.

The fix involves passing the total packet length explicitly to virtio_transport_init_zcopy_skb() instead of relying on the consumed iterator count, aligning the behavior with TCP and UDP implementations.

Impact Analysis

This vulnerability can lead to improper enforcement of memory locking limits (RLIMIT_MEMLOCK) in the Linux kernel when using vsock/virtio zero-copy messaging. As a result, an attacker or a process could potentially lock more memory pages than allowed, which might lead to resource exhaustion or denial of service conditions by exhausting system memory resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart