{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-02T12:25:28.558","vulnerabilities":[{"cve":{"id":"CVE-2026-23086","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-04T17:16:19.467","lastModified":"2026-03-17T21:10:14.740","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host's own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer's\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n Before:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n After 32 high-credit connections:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n socket based on the local vsk->buffer_* values; the remote side\n cannot enlarge those queues beyond what the local endpoint\n configured.\n\n - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and\n an MTU bound; there is no peer-controlled credit field comparable\n to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n kernel memory above those ring sizes.\n\n - The loopback path reuses virtio_transport_common.c, so it\n naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvsock/virtio: limitar el crédito TX al tamaño del búfer local\n\nLos transportes virtio derivan su crédito TX directamente de peer_buf_alloc, que se establece a partir del valor SO_VM_SOCKETS_BUFFER_SIZE del punto final remoto.\n\nEn el lado del host, esto significa que la cantidad de datos que estamos dispuestos a encolar para una conexión se escala por un tamaño de búfer elegido por el invitado, en lugar de la propia configuración vsock del host. Un invitado malicioso puede anunciar un búfer grande y leer lentamente, haciendo que el host asigne una cantidad correspondientemente grande de memoria sk_buff.\nLo mismo ocurriría en el invitado con un host malicioso, ya que los transportes virtio comparten la misma base de código.\n\nIntroducir una pequeña función auxiliar, virtio_transport_tx_buf_size(), que devuelve min(peer_buf_alloc, buf_alloc), y usarla dondequiera que consumamos peer_buf_alloc.\n\nEsto asegura que la ventana TX efectiva esté limitada tanto por el búfer anunciado del par como por nuestro propio buf_alloc (ya ajustado a buffer_max_size a través de SO_VM_SOCKETS_BUFFER_MAX_SIZE), de modo que un par remoto no pueda forzar al otro a encolar más datos de los permitidos por su propia configuración vsock.\n\nEn un host Ubuntu 22.04 sin parchear (~64 GiB de RAM), ejecutar una PoC con 32 conexiones vsock de invitado anunciando 2 GiB cada una y leyendo lentamente llevó Slab/SUnreclaim de ~0.5 GiB a ~57 GiB; el sistema solo se recuperó después de terminar el proceso QEMU. Dicho esto, si la memoria de QEMU está limitada con cgroups, la memoria máxima utilizada estará limitada.\n\nCon este parche aplicado:\n\n Antes:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n Después de 32 conexiones de alto crédito:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nSolo un aumento de ~35 MiB en Slab/SUnreclaim, sin OOM del host, y el invitado permanece receptivo.\n\nCompatibilidad con transportes no virtio:\n\n - VMCI utiliza los controles de búfer AF_VSOCK para dimensionar sus pares de cola por socket basándose en los valores locales vsk->buffer_*; el lado remoto no puede ampliar esas colas más allá de lo que configuró el punto final local.\n\n - El transporte vsock de Hyper-V utiliza búferes de anillo VMBus de tamaño fijo y un límite de MTU; no hay un campo de crédito controlado por el par comparable a peer_buf_alloc, y el punto final remoto no puede impulsar la memoria del kernel en tránsito por encima de esos tamaños de anillo.\n\n - La ruta de bucle invertido reutiliza virtio_transport_common.c, por lo que naturalmente sigue la misma semántica que el transporte virtio.\n\nEste cambio se limita a virtio_transport_common.c y por lo tanto afecta a virtio-vsock, vhost-vsock y loopback, poniéndolos en línea con el comportamiento de 'ventana remota intersectada con política local' que VMCI y Hyper-V ya tienen efectivamente.\n\n[Stefano: pequeños ajustes después de cambiar el parche anterior]\n[Stefano: ajustar el mensaje de commit]"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.1.162","matchCriteriaId":"68145F3E-ECEF-4C5B-95B5-996FCDAD1705"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.122","matchCriteriaId":"8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.68","matchCriteriaId":"52F38E19-0FDD-4992-9D6D-D4169D689598"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.8","matchCriteriaId":"E65C6E79-7EBE-4C77-93F0-818CF5B38F4E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}