CVE-2026-23086

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock/virtio: cap TX credit to local buffer size<br /> <br /> The virtio transports derives its TX credit directly from peer_buf_alloc,<br /> which is set from the remote endpoint&amp;#39;s SO_VM_SOCKETS_BUFFER_SIZE value.<br /> <br /> On the host side this means that the amount of data we are willing to<br /> queue for a connection is scaled by a guest-chosen buffer size, rather<br /> than the host&amp;#39;s own vsock configuration. A malicious guest can advertise<br /> a large buffer and read slowly, causing the host to allocate a<br /> correspondingly large amount of sk_buff memory.<br /> The same thing would happen in the guest with a malicious host, since<br /> virtio transports share the same code base.<br /> <br /> Introduce a small helper, virtio_transport_tx_buf_size(), that<br /> returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume<br /> peer_buf_alloc.<br /> <br /> This ensures the effective TX window is bounded by both the peer&amp;#39;s<br /> advertised buffer and our own buf_alloc (already clamped to<br /> buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer<br /> cannot force the other to queue more data than allowed by its own<br /> vsock settings.<br /> <br /> On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with<br /> 32 guest vsock connections advertising 2 GiB each and reading slowly<br /> drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only<br /> recovered after killing the QEMU process. That said, if QEMU memory is<br /> limited with cgroups, the maximum memory used will be limited.<br /> <br /> With this patch applied:<br /> <br /> Before:<br /> MemFree: ~61.6 GiB<br /> Slab: ~142 MiB<br /> SUnreclaim: ~117 MiB<br /> <br /> After 32 high-credit connections:<br /> MemFree: ~61.5 GiB<br /> Slab: ~178 MiB<br /> SUnreclaim: ~152 MiB<br /> <br /> Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest<br /> remains responsive.<br /> <br /> Compatibility with non-virtio transports:<br /> <br /> - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per<br /> socket based on the local vsk-&gt;buffer_* values; the remote side<br /> cannot enlarge those queues beyond what the local endpoint<br /> configured.<br /> <br /> - Hyper-V&amp;#39;s vsock transport uses fixed-size VMBus ring buffers and<br /> an MTU bound; there is no peer-controlled credit field comparable<br /> to peer_buf_alloc, and the remote endpoint cannot drive in-flight<br /> kernel memory above those ring sizes.<br /> <br /> - The loopback path reuses virtio_transport_common.c, so it<br /> naturally follows the same semantics as the virtio transport.<br /> <br /> This change is limited to virtio_transport_common.c and thus affects<br /> virtio-vsock, vhost-vsock, and loopback, bringing them in line with the<br /> "remote window intersected with local policy" behaviour that VMCI and<br /> Hyper-V already effectively have.<br /> <br /> [Stefano: small adjustments after changing the previous patch]<br /> [Stefano: tweak the commit message]