Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-53365

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
13/07/2026
Última modificación:
13/07/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock/virtio: fix zerocopy completion for multi-skb sends<br /> <br /> When a large message is fragmented into multiple skbs, the zerocopy<br /> uarg is only allocated and attached to the last skb in the loop.<br /> Non-final skbs carry pinned user pages with no completion tracking,<br /> so the kernel has no way to notify userspace when those pages are safe<br /> to reuse. If the loop breaks early the uarg is never allocated at all,<br /> leaking pinned pages with no completion notification.<br /> <br /> Fix this by following the approach used by TCP: allocate the zerocopy<br /> uarg (if not provided by the caller) before the send loop and attach<br /> it to every skb via skb_zcopy_set(), which takes a reference per skb.<br /> Each skb&amp;#39;s completion properly decrements the refcount, and the<br /> notification only fires after the last skb is freed.<br /> On failure, if no data was sent, the uarg is cleanly aborted via<br /> net_zcopy_put_abort().<br /> <br /> This issue was initially discovered by sashiko while reviewing commit<br /> 1cb36e252211 ("vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting")<br /> but was pre-existing.

Impacto