CVE-2026-53365
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
13/07/2026
Última modificación:
13/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
vsock/virtio: fix zerocopy completion for multi-skb sends<br />
<br />
When a large message is fragmented into multiple skbs, the zerocopy<br />
uarg is only allocated and attached to the last skb in the loop.<br />
Non-final skbs carry pinned user pages with no completion tracking,<br />
so the kernel has no way to notify userspace when those pages are safe<br />
to reuse. If the loop breaks early the uarg is never allocated at all,<br />
leaking pinned pages with no completion notification.<br />
<br />
Fix this by following the approach used by TCP: allocate the zerocopy<br />
uarg (if not provided by the caller) before the send loop and attach<br />
it to every skb via skb_zcopy_set(), which takes a reference per skb.<br />
Each skb&#39;s completion properly decrements the refcount, and the<br />
notification only fires after the last skb is freed.<br />
On failure, if no data was sent, the uarg is cleanly aborted via<br />
net_zcopy_put_abort().<br />
<br />
This issue was initially discovered by sashiko while reviewing commit<br />
1cb36e252211 ("vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting")<br />
but was pre-existing.



