FKIE_CVE-2026-23086

Vulnerability from fkie_nvd - Published: 2026-02-04 17:16 - Updated: 2026-02-06 17:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint\u0027s SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host\u0027s own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer\u0027s\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n  Before:\n    MemFree:        ~61.6 GiB\n    Slab:           ~142 MiB\n    SUnreclaim:     ~117 MiB\n\n  After 32 high-credit connections:\n    MemFree:        ~61.5 GiB\n    Slab:           ~178 MiB\n    SUnreclaim:     ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n  - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n    socket based on the local vsk-\u003ebuffer_* values; the remote side\n    cannot enlarge those queues beyond what the local endpoint\n    configured.\n\n  - Hyper-V\u0027s vsock transport uses fixed-size VMBus ring buffers and\n    an MTU bound; there is no peer-controlled credit field comparable\n    to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n    kernel memory above those ring sizes.\n\n  - The loopback path reuses virtio_transport_common.c, so it\n    naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvsock/virtio: limitar el cr\u00e9dito TX al tama\u00f1o del b\u00fafer local\n\nLos transportes virtio derivan su cr\u00e9dito TX directamente de peer_buf_alloc, que se establece a partir del valor SO_VM_SOCKETS_BUFFER_SIZE del punto final remoto.\n\nEn el lado del host, esto significa que la cantidad de datos que estamos dispuestos a encolar para una conexi\u00f3n se escala por un tama\u00f1o de b\u00fafer elegido por el invitado, en lugar de la propia configuraci\u00f3n vsock del host. Un invitado malicioso puede anunciar un b\u00fafer grande y leer lentamente, haciendo que el host asigne una cantidad correspondientemente grande de memoria sk_buff.\nLo mismo ocurrir\u00eda en el invitado con un host malicioso, ya que los transportes virtio comparten la misma base de c\u00f3digo.\n\nIntroducir una peque\u00f1a funci\u00f3n auxiliar, virtio_transport_tx_buf_size(), que devuelve min(peer_buf_alloc, buf_alloc), y usarla dondequiera que consumamos peer_buf_alloc.\n\nEsto asegura que la ventana TX efectiva est\u00e9 limitada tanto por el b\u00fafer anunciado del par como por nuestro propio buf_alloc (ya ajustado a buffer_max_size a trav\u00e9s de SO_VM_SOCKETS_BUFFER_MAX_SIZE), de modo que un par remoto no pueda forzar al otro a encolar m\u00e1s datos de los permitidos por su propia configuraci\u00f3n vsock.\n\nEn un host Ubuntu 22.04 sin parchear (~64 GiB de RAM), ejecutar una PoC con 32 conexiones vsock de invitado anunciando 2 GiB cada una y leyendo lentamente llev\u00f3 Slab/SUnreclaim de ~0.5 GiB a ~57 GiB; el sistema solo se recuper\u00f3 despu\u00e9s de terminar el proceso QEMU. Dicho esto, si la memoria de QEMU est\u00e1 limitada con cgroups, la memoria m\u00e1xima utilizada estar\u00e1 limitada.\n\nCon este parche aplicado:\n\n  Antes:\n    MemFree:        ~61.6 GiB\n    Slab:           ~142 MiB\n    SUnreclaim:     ~117 MiB\n\n  Despu\u00e9s de 32 conexiones de alto cr\u00e9dito:\n    MemFree:        ~61.5 GiB\n    Slab:           ~178 MiB\n    SUnreclaim:     ~152 MiB\n\nSolo un aumento de ~35 MiB en Slab/SUnreclaim, sin OOM del host, y el invitado permanece receptivo.\n\nCompatibilidad con transportes no virtio:\n\n  - VMCI utiliza los controles de b\u00fafer AF_VSOCK para dimensionar sus pares de cola por socket bas\u00e1ndose en los valores locales vsk-\u0026gt;buffer_*; el lado remoto no puede ampliar esas colas m\u00e1s all\u00e1 de lo que configur\u00f3 el punto final local.\n\n  - El transporte vsock de Hyper-V utiliza b\u00faferes de anillo VMBus de tama\u00f1o fijo y un l\u00edmite de MTU; no hay un campo de cr\u00e9dito controlado por el par comparable a peer_buf_alloc, y el punto final remoto no puede impulsar la memoria del kernel en tr\u00e1nsito por encima de esos tama\u00f1os de anillo.\n\n  - La ruta de bucle invertido reutiliza virtio_transport_common.c, por lo que naturalmente sigue la misma sem\u00e1ntica que el transporte virtio.\n\nEste cambio se limita a virtio_transport_common.c y por lo tanto afecta a virtio-vsock, vhost-vsock y loopback, poni\u00e9ndolos en l\u00ednea con el comportamiento de \u0027ventana remota intersectada con pol\u00edtica local\u0027 que VMCI y Hyper-V ya tienen efectivamente.\n\n[Stefano: peque\u00f1os ajustes despu\u00e9s de cambiar el parche anterior]\n[Stefano: ajustar el mensaje de commit]"
    }
  ],
  "id": "CVE-2026-23086",
  "lastModified": "2026-02-06T17:16:24.170",
  "metrics": {},
  "published": "2026-02-04T17:16:19.467",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.