{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23057", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.951Z", "datePublished": "2026-02-04T16:07:40.550Z", "dateUpdated": "2026-05-11T21:59:10.131Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:10.131Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Coalesce only linear skb\n\nvsock/virtio common tries to coalesce buffers in rx queue: if a linear skb\n(with a spare tail room) is followed by a small skb (length limited by\nGOOD_COPY_LEN = 128), an attempt is made to join them.\n\nSince the introduction of MSG_ZEROCOPY support, assumption that a small skb\nwill always be linear is incorrect. In the zerocopy case, data is lost and\nthe linear skb is appended with uninitialized kernel memory.\n\nOf all 3 supported virtio-based transports, only loopback-transport is\naffected. G2H virtio-transport rx queue operates on explicitly linear skbs;\nsee virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G\nvhost-transport may allocate non-linear skbs, but only for sizes that are\nnot considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in\nvirtio_vsock_alloc_skb().\n\nEnsure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0\nguarantees last_skb is linear."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/virtio_transport_common.c"], "versions": [{"version": "581512a6dc939ef122e49336626ae159f3b8a345", "lessThan": "568e9cd8ed7ca9bf748c7687ba6501f29d30e59f", "status": "affected", "versionType": "git"}, {"version": "581512a6dc939ef122e49336626ae159f3b8a345", "lessThan": "63ef9b300bd09e24c57050c5dbe68feedce42e72", "status": "affected", "versionType": "git"}, {"version": "581512a6dc939ef122e49336626ae159f3b8a345", "lessThan": "0386bd321d0f95d041a7b3d7b07643411b044a96", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/virtio_transport_common.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f"}, {"url": "https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72"}, {"url": "https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96"}], "title": "vsock/virtio: Coalesce only linear skb", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Coalesce only linear skb\n\nvsock/virtio common tries to coalesce buffers in rx queue: if a linear skb\n(with a spare tail room) is followed by a small skb (length limited by\nGOOD_COPY_LEN = 128), an attempt is made to join them.\n\nSince the introduction of MSG_ZEROCOPY support, assumption that a small skb\nwill always be linear is incorrect. In the zerocopy case, data is lost and\nthe linear skb is appended with uninitialized kernel memory.\n\nOf all 3 supported virtio-based transports, only loopback-transport is\naffected. G2H virtio-transport rx queue operates on explicitly linear skbs;\nsee virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G\nvhost-transport may allocate non-linear skbs, but only for sizes that are\nnot considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in\nvirtio_vsock_alloc_skb().\n\nEnsure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0\nguarantees last_skb is linear."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvsock/virtio: Coalescer solo skb lineal\n\nEl com\u00fan de vsock/virtio intenta coalescer b\u00faferes en la cola rx: si un skb lineal (con espacio de cola libre) es seguido por un skb peque\u00f1o (longitud limitada por GOOD_COPY_LEN = 128), se intenta unirlos.\n\nDesde la introducci\u00f3n del soporte MSG_ZEROCOPY, la suposici\u00f3n de que un skb peque\u00f1o siempre ser\u00e1 lineal es incorrecta. En el caso de zerocopy, se pierden datos y el skb lineal es anexado con memoria del kernel no inicializada.\n\nDe todos los 3 transportes basados en virtio soportados, solo el transporte loopback se ve afectado. La cola rx del transporte virtio G2H opera con skbs expl\u00edcitamente lineales; ver virtio_vsock_alloc_linear_skb() en virtio_vsock_rx_fill(). El transporte vhost H2G puede asignar skbs no lineales, pero solo para tama\u00f1os que no se consideran para la coalescencia; ver PAGE_ALLOC_COSTLY_ORDER en virtio_vsock_alloc_skb().\n\nAsegurar que solo los skbs lineales sean coalescidos. Tenga en cuenta que skb_tailroom(last_skb) > 0 garantiza que last_skb es lineal."}], "id": "CVE-2026-23057", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T17:16:16.380", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: vsock/virtio: Coalesce only linear skb", "id": "2436759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436759"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23057", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23057\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23057\nhttps://lore.kernel.org/linux-cve-announce/2026020413-CVE-2026-23057-03eb@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:44:07.728861+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the vsock zero\u2011copy buffer coalescence fix.", "If updating is not possible, disable MSG_ZEROCOPY for the vsock/virtio loopback transport by building the kernel with the option turned off or by setting the appropriate runtime parameter.", "Continuously monitor system logs and application behavior for anomalous vsock activity or kernel panics, and disable the loopback vsock transport if it is not needed."], "summary": {"action": "Patch", "impact": "Integrity Compromise"}, "threat_synthesis": {"affected_systems": "The flaw affects the loopback\u2011based vsock/virtio transport in Linux kernel implementations; it does not impact the g2h transport, which always allocates linear buffers, nor the h2g vhost channel, which avoids small non\u2011linear buffers. Because specific kernel version information is not provided, users should verify that their current kernel includes the fix that introduces safe handling of skb coalescence.", "description_and_impact": "The Linux kernel's vsock/virtio subsystem was found to incorrectly merge small receive buffers under certain zero\u2011copy conditions, which can cause a linear socket buffer to be appended with uninitialized kernel memory, leading to data loss and potential corruption of kernel memory and compromising the integrity of data processed by the vsock transport.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.0 and an EPSS exploitation probability of less than 1\u202f%, and it has not been listed in the CISA Known Exploited Vulnerabilities catalog. The attack surface resides in kernel space, requiring interaction with the vsock/virtio loopback interface; although rare, an attacker could trigger repeated mis\u2011coalescence to corrupt kernel memory, potentially enabling privilege escalation or system crash."}}}}, "created": "2026-04-17T23:45:25.814264+00:00", "updated": "2026-04-17T23:45:25.814274+00:00", "vendors": [], "weaknesses": ["CWE-457", "CWE-119"]}