Skip to main content

Linux Kernel CVE-2026-46214

| EUVDEUVD-2026-32841 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4ghp-qfgj-33p6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 19:28 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix accept queue count leak on transport mismatch

virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.

After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.

Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.

AnalysisAI

Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.

Technical ContextAI

The vulnerability resides in the AF_VSOCK (Virtual Socket) subsystem's virtio transport backend (vmw_vsock_virtio_transport kernel module), which facilitates socket-based communication between guest virtual machines and hypervisors. The root cause is an improper resource accounting pattern in virtio_transport_recv_listen(): the accept queue counter sk_ack_backlog is incremented via sk_acceptq_added() before vsock_assign_transport() is called to validate and select the appropriate transport. When vsock_assign_transport() fails - for example, due to a transport type mismatch where the connecting peer's transport does not match what the listener expects - the error path returns without invoking the paired sk_acceptq_removed() decrement. This is a resource counter leak analogous to CWE-459 (Incomplete Cleanup) or CWE-911 (Improper Update of Reference Count), though NVD lists CWE as N/A for this entry. The fix, mirroring the already-correct pattern in vmci_transport and hyperv_transport, moves sk_acceptq_added() to after successful transport validation. CPE data confirms the affected product as cpe:2.3:o:linux:linux_kernel across multiple stable branches.

RemediationAI

The primary remediation is upgrading to a patched kernel version: Linux 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc1 or later, depending on the stable branch in use. Patches are available directly from git.kernel.org stable commits referenced in the CVE (see 29371f3cc83e, 52bcb57a4e8a, 65c484726e74, 6d3275fc4ed9, e9edf9893cf2 among others). For systems where immediate kernel upgrade is not feasible, unloading the vmw_vsock_virtio_transport kernel module (modprobe -r vmw_vsock_virtio_transport) eliminates the attack surface entirely, but disables all virtio-based guest-host vsock communication - this is appropriate only if the vsock transport is not operationally required. A narrower compensating control is to restrict AF_VSOCK socket creation to privileged users via cgroup policies or by limiting access to /dev/vsock, which reduces exposure without fully disabling vsock; however, this may break legitimate guest agent or VM tooling that relies on vsock. Advisory reference: https://nvd.nist.gov/vuln/detail/CVE-2026-46214.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy