CVE-2026-23057
Description
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Coalesce only linear skb
vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them.
Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory.
Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb().
Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel vsock/virtio, improper coalescing of non-linear skbs due to MSG_ZEROCOPY can cause data loss and leak uninitialized kernel memory on loopback transport.
Vulnerability
Overview
The Linux kernel's vsock/virtio implementation contains a vulnerability in its buffer coalescing logic within the receive queue. The code attempts to coalesce a linear skb (with spare tail room) with a subsequent small skb (length ≤ 128 bytes). However, since the introduction of MSG_ZEROCOPY support, the assumption that a small skb will always be linear is no longer valid. When a non-linear skb (e.g., from zerocopy) is coalesced, data is lost and the linear skb is appended with uninitialized kernel memory, potentially exposing sensitive information [1].
Attack
Surface and Exploitation
Of the three supported virtio-based transports (loopback, guest-to-host, host-to-guest), only the loopback transport is affected. The guest-to-host transport uses explicitly linear skbs, and the host-to-guest transport allocates non-linear skbs only for sizes that are not considered for coalescence. An attacker would need to be able to trigger the coalescing path on a loopback vsock connection, which may require local access or the ability to send crafted packets. No authentication is required beyond the ability to establish a vsock connection [1].
Impact
Successful exploitation can lead to data corruption (loss of the small skb's payload) and the exposure of uninitialized kernel memory to the receiving socket. This could leak sensitive kernel data or be used as a stepping stone for further attacks. The vulnerability does not directly allow code execution but could aid in information disclosure [1].
Mitigation
The fix ensures that only linear skbs are considered for coalescing by checking that the last skb has tailroom (which guarantees linearity). The patch has been applied to the stable kernel tree. Users should update to a kernel version containing commit 63ef9b300bd0 or later. No workaround is available; updating is the recommended action [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.