CVE-2026-46207

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
10/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock/virtio: fix empty payload in tap skb for non-linear buffers<br /> <br /> For non-linear skbs, virtio_transport_build_skb() goes through<br /> virtio_transport_copy_nonlinear_skb() to copy the original payload<br /> in the new skb to be delivered to the vsockmon tap device.<br /> This manually initializes an iov_iter but does not set iov_iter.count.<br /> Since the iov_iter is zero-initialized, the copy length is zero and no<br /> payload is actually copied to the monitor interface, leaving data<br /> un-initialized.<br /> <br /> Fix this by removing the linear vs non-linear split and using<br /> skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as<br /> vhost-vsock already does. This handles both linear and non-linear skbs,<br /> properly initializes the iov_iter, and removes the now unused<br /> virtio_transport_copy_nonlinear_skb().<br /> <br /> While touching this code, let&amp;#39;s also check the return value of<br /> skb_copy_datagram_iter(), even though it&amp;#39;s unlikely to fail.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.90 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.32 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.9 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*