CVE-2026-46214
Description
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix accept queue count leak on transport mismatch
virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.
After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.
Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel vsock/virtio accept queue count leak on transport mismatch causes denial of service by permanently incrementing backlog.
Vulnerability
In the Linux kernel's virtio_transport_recv_listen() function in net/vmw_vsock/virtio_transport_common.c, the function sk_acceptq_added() is called before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), causing sk_ack_backlog to be permanently incremented. This leak affects all versions up to the fix.
Exploitation
An attacker does not need any special privileges. They can trigger the vulnerable code path by sending connection requests to a listening socket when the transport assignment fails (e.g., due to mismatched transport). Each failure increments the backlog count. After approximately backlog + 1 such failures, sk_acceptq_is_full() returns true.
Impact
Once the accept queue appears full, the listener rejects all new connection attempts, resulting in a denial of service (DoS) for the vsock service on that socket. No other impact beyond the rejection of legitimate connections.
Mitigation
The fix moves sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport. The fix was committed in the Linux kernel stable tree as commit 52bcb57a4e8a [1]. Users should apply the latest kernel updates. No workaround is known.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1052bcb57a4e8avsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index a152a9e208d094..e96e9893b21b0d 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1558,8 +1558,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1581,6 +1579,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
65c484726e74vsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 4c374c36c29d11..2fbec76409475d 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1353,8 +1353,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1376,6 +1374,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
29371f3cc83evsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 6e668c2dfb7ac2..9550773fe1e17c 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1546,8 +1546,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1569,6 +1567,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
e9edf9893cf2vsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 3e148c39d10765..41be06c4bd7ff8 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1528,8 +1528,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1551,6 +1549,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
6d3275fc4ed9vsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 1227b280f1c991..6547e199ea5b16 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1544,8 +1544,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1567,6 +1565,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
52bcb57a4e8avsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index a152a9e208d094..e96e9893b21b0d 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1558,8 +1558,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1581,6 +1579,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
6d3275fc4ed9vsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 1227b280f1c991..6547e199ea5b16 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1544,8 +1544,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1567,6 +1565,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
e9edf9893cf2vsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 3e148c39d10765..41be06c4bd7ff8 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1528,8 +1528,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1551,6 +1549,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
65c484726e74vsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 4c374c36c29d11..2fbec76409475d 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1353,8 +1353,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1376,6 +1374,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
29371f3cc83evsock/virtio: fix accept queue count leak on transport mismatch
1 file changed · +1 −3
net/vmw_vsock/virtio_transport_common.c+1 −3 modifieddiff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 6e668c2dfb7ac2..9550773fe1e17c 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1546,8 +1546,6 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } - sk_acceptq_added(sk); - lock_sock_nested(child, SINGLE_DEPTH_NESTING); child->sk_state = TCP_ESTABLISHED; @@ -1569,6 +1567,7 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return ret; } + sk_acceptq_added(sk); if (virtio_transport_space_update(child, skb)) child->sk_write_space(child); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing sk_acceptq_removed() call on error path in virtio_transport_recv_listen() causes permanent leak of the accept queue count when vsock_assign_transport() fails or selects a different transport."
Attack vector
An attacker can send connection requests to a listening AF_VSOCK socket that cause vsock_assign_transport() to fail or select a different transport. Each such failure permanently increments sk_ack_backlog because sk_acceptq_added() was called before transport validation but sk_acceptq_removed() is never called on the error path. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true and the listener rejects all new connections, resulting in a denial of service. The attack requires only the ability to send vsock packets to a listening socket on the same host or virtual machine.
Affected code
The vulnerable function is virtio_transport_recv_listen() in net/vmw_vsock/virtio_transport_common.c [patch_id=2897695]. The bug was introduced by commit c0cfa2d8a788 ("vsock: add multi-transports support").
What the fix does
The patch moves the sk_acceptq_added(sk) call from before the transport validation to after vsock_assign_transport() succeeds [patch_id=2897695]. This ensures the accept queue counter is only incremented once the transport has been successfully assigned. If vsock_assign_transport() fails or selects a different transport, the function returns early without having incremented the counter, so no leak occurs. This matches the pattern already used by vmci_transport and hyperv_transport.
Preconditions
- configA listening AF_VSOCK socket must exist on the target system.
- networkAttacker must be able to send vsock packets to the listening socket (same host or VM).
- inputThe connection request must trigger a transport mismatch or failure in vsock_assign_transport().
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112fnvd
- git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2dnvd
- git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390nvd
- git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668dnvd
- git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56anvd
News mentions
0No linked articles in our index yet.