CVE-2026-23086

{"id": "CVE-2026-23086", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-04T17:16:19.467", "references": [{"url": "https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host's own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer's\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n Before:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n After 32 high-credit connections:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n socket based on the local vsk->buffer_* values; the remote side\n cannot enlarge those queues beyond what the local endpoint\n configured.\n\n - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and\n an MTU bound; there is no peer-controlled credit field comparable\n to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n kernel memory above those ring sizes.\n\n - The loopback path reuses virtio_transport_common.c, so it\n naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvsock/virtio: limitar el cr\u00e9dito TX al tama\u00f1o del b\u00fafer local\n\nLos transportes virtio derivan su cr\u00e9dito TX directamente de peer_buf_alloc, que se establece a partir del valor SO_VM_SOCKETS_BUFFER_SIZE del punto final remoto.\n\nEn el lado del host, esto significa que la cantidad de datos que estamos dispuestos a encolar para una conexi\u00f3n se escala por un tama\u00f1o de b\u00fafer elegido por el invitado, en lugar de la propia configuraci\u00f3n vsock del host. Un invitado malicioso puede anunciar un b\u00fafer grande y leer lentamente, haciendo que el host asigne una cantidad correspondientemente grande de memoria sk_buff.\nLo mismo ocurrir\u00eda en el invitado con un host malicioso, ya que los transportes virtio comparten la misma base de c\u00f3digo.\n\nIntroducir una peque\u00f1a funci\u00f3n auxiliar, virtio_transport_tx_buf_size(), que devuelve min(peer_buf_alloc, buf_alloc), y usarla dondequiera que consumamos peer_buf_alloc.\n\nEsto asegura que la ventana TX efectiva est\u00e9 limitada tanto por el b\u00fafer anunciado del par como por nuestro propio buf_alloc (ya ajustado a buffer_max_size a trav\u00e9s de SO_VM_SOCKETS_BUFFER_MAX_SIZE), de modo que un par remoto no pueda forzar al otro a encolar m\u00e1s datos de los permitidos por su propia configuraci\u00f3n vsock.\n\nEn un host Ubuntu 22.04 sin parchear (~64 GiB de RAM), ejecutar una PoC con 32 conexiones vsock de invitado anunciando 2 GiB cada una y leyendo lentamente llev\u00f3 Slab/SUnreclaim de ~0.5 GiB a ~57 GiB; el sistema solo se recuper\u00f3 despu\u00e9s de terminar el proceso QEMU. Dicho esto, si la memoria de QEMU est\u00e1 limitada con cgroups, la memoria m\u00e1xima utilizada estar\u00e1 limitada.\n\nCon este parche aplicado:\n\n Antes:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n Despu\u00e9s de 32 conexiones de alto cr\u00e9dito:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nSolo un aumento de ~35 MiB en Slab/SUnreclaim, sin OOM del host, y el invitado permanece receptivo.\n\nCompatibilidad con transportes no virtio:\n\n - VMCI utiliza los controles de b\u00fafer AF_VSOCK para dimensionar sus pares de cola por socket bas\u00e1ndose en los valores locales vsk->buffer_*; el lado remoto no puede ampliar esas colas m\u00e1s all\u00e1 de lo que configur\u00f3 el punto final local.\n\n - El transporte vsock de Hyper-V utiliza b\u00faferes de anillo VMBus de tama\u00f1o fijo y un l\u00edmite de MTU; no hay un campo de cr\u00e9dito controlado por el par comparable a peer_buf_alloc, y el punto final remoto no puede impulsar la memoria del kernel en tr\u00e1nsito por encima de esos tama\u00f1os de anillo.\n\n - La ruta de bucle invertido reutiliza virtio_transport_common.c, por lo que naturalmente sigue la misma sem\u00e1ntica que el transporte virtio.\n\nEste cambio se limita a virtio_transport_common.c y por lo tanto afecta a virtio-vsock, vhost-vsock y loopback, poni\u00e9ndolos en l\u00ednea con el comportamiento de 'ventana remota intersectada con pol\u00edtica local' que VMCI y Hyper-V ya tienen efectivamente.\n\n[Stefano: peque\u00f1os ajustes despu\u00e9s de cambiar el parche anterior]\n[Stefano: ajustar el mensaje de commit]"}], "lastModified": "2026-03-17T21:10:14.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68145F3E-ECEF-4C5B-95B5-996FCDAD1705", "versionEndExcluding": "6.1.162", "versionStartIncluding": "4.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}