{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23069", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.954Z", "datePublished": "2026-02-04T16:07:49.911Z", "dateUpdated": "2026-05-11T21:59:23.999Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:23.999Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix potential underflow in virtio_transport_get_credit()\n\nThe credit calculation in virtio_transport_get_credit() uses unsigned\narithmetic:\n\n ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);\n\nIf the peer shrinks its advertised buffer (peer_buf_alloc) while bytes\nare in flight, the subtraction can underflow and produce a large\npositive value, potentially allowing more data to be queued than the\npeer can handle.\n\nReuse virtio_transport_has_space() which already handles this case and\nadd a comment to make it clear why we are doing that.\n\n[Stefano: use virtio_transport_has_space() instead of duplicating the code]\n[Stefano: tweak the commit message]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/virtio_transport_common.c"], "versions": [{"version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "lessThan": "d96de882d6b99955604669d962ae14e94b66a551", "status": "affected", "versionType": "git"}, {"version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "lessThan": "02f9af192b98d15883c70dd41ac76d1b0217c899", "status": "affected", "versionType": "git"}, {"version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "lessThan": "d05bc313788f0684b27f0f5b60c52a844669b542", "status": "affected", "versionType": "git"}, {"version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "lessThan": "ec0f1b3da8061be3173d1c39faaf9504f91942c3", "status": "affected", "versionType": "git"}, {"version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "lessThan": "3ef3d52a1a9860d094395c7a3e593f3aa26ff012", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/virtio_transport_common.c"], "versions": [{"version": "4.8", "status": "affected"}, {"version": "0", "lessThan": "4.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551"}, {"url": "https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899"}, {"url": "https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542"}, {"url": "https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3"}, {"url": "https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012"}], "title": "vsock/virtio: fix potential underflow in virtio_transport_get_credit()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "68145F3E-ECEF-4C5B-95B5-996FCDAD1705", "versionEndExcluding": "6.1.162", "versionStartIncluding": "4.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix potential underflow in virtio_transport_get_credit()\n\nThe credit calculation in virtio_transport_get_credit() uses unsigned\narithmetic:\n\n ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);\n\nIf the peer shrinks its advertised buffer (peer_buf_alloc) while bytes\nare in flight, the subtraction can underflow and produce a large\npositive value, potentially allowing more data to be queued than the\npeer can handle.\n\nReuse virtio_transport_has_space() which already handles this case and\nadd a comment to make it clear why we are doing that.\n\n[Stefano: use virtio_transport_has_space() instead of duplicating the code]\n[Stefano: tweak the commit message]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvsock/virtio: soluciona un posible desbordamiento negativo en virtio_transport_get_credit()\n\nEl c\u00e1lculo de cr\u00e9dito en virtio_transport_get_credit() utiliza aritm\u00e9tica sin signo:\n\nret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);\n\nSi el par reduce su b\u00fafer anunciado (peer_buf_alloc) mientras hay bytes en tr\u00e1nsito, la resta puede sufrir un desbordamiento negativo y producir un valor positivo grande, lo que podr\u00eda permitir que se pongan en cola m\u00e1s datos de los que el par puede manejar.\n\nReutilizar virtio_transport_has_space() que ya maneja este caso y a\u00f1adir un comentario para dejar claro por qu\u00e9 lo estamos haciendo.\n\n[Stefano: usar virtio_transport_has_space() en lugar de duplicar el c\u00f3digo]\n[Stefano: ajustar el mensaje de commit]"}], "id": "CVE-2026-23069", "lastModified": "2026-03-13T21:27:26.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:17.610", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: vsock/virtio: fix potential underflow in virtio_transport_get_credit()", "id": "2436768", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436768"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23069", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23069\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23069\nhttps://lore.kernel.org/linux-cve-announce/2026020417-CVE-2026-23069-d026@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T13:55:06.211920+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the virtio_transport_get_credit fix", "If a kernel upgrade is not feasible in your environment, disable the virtio vsock device or restrict guest traffic to prevent the vulnerable credit calculation from being invoked", "For custom or embedded Linux builds, apply the upstream patch that replaces the underflowing arithmetic with virtio_transport_has_space() or otherwise validate buffer limits before sending"], "summary": {"action": "Patch immediately", "impact": "Potential buffer overflow caused by unsigned underflow in virtio_transport_get_credit"}, "threat_synthesis": {"affected_systems": "All Linux kernel implementations that expose the virtio vsock interface are affected, including the 6.19 release candidates referenced in the reported CPEs. Any distribution that ships the default virtio vsock driver with the vulnerable implementation is at risk.", "description_and_impact": "The crash originates from unsigned arithmetic in the function virtio_transport_get_credit within the Linux kernel\u2019s virtio vsock subsystem. The calculation uses the peer\u2019s advertised buffer size and subtracts the number of queued bytes, which can underflow if the peer reduces its buffer while bytes are still in flight. The resulting large positive value allows more data to be queued than the peer can safely handle, potentially overflowing the peer\u2019s buffer and leading to memory corruption or a denial of service.", "risk_and_exploitability": "The CVSS score of 5.5 denotes medium severity, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not present in the CISA KeV catalog. Exploitation would require an attacker able to influence the virtio communication path\u2014typically a guest or host with access to the virtualization environment\u2014making it a local or privileged scenario rather than a remote code execution attack."}}}}, "created": "2026-04-18T14:00:02.184688+00:00", "updated": "2026-04-18T14:00:02.184702+00:00", "vendors": []}