Skip to main content

Linux Kernel CVE-2026-46234

| EUVDEUVD-2026-32752 HIGH
Out-of-bounds Write (CWE-787)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jc98-98jj-62cp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local AF_VSOCK access by an unprivileged user (AV:L/PR:L); turning the clamp inversion into a usable OOB write requires non-trivial kernel-heap shaping, so AC:H; full kernel compromise gives C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 23:35 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

vsock: fix buffer size clamping order

In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.

This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.

Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.

AnalysisAI

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Technical ContextAI

The flaw lives in the Linux kernel virtio-vsock socket layer (net/vmw_vsock/), which provides guest-to-host socket communication for virtual machines and is commonly used by hypervisors and containers. vsock_update_buffer_size() is supposed to clamp a user-requested buffer size between buffer_min_size and buffer_max_size, but the original code applied the max bound first and the min bound second, so a min value greater than max overrides the max ceiling. CWE-787 (Out-of-bounds Write) classifies the resulting condition: the buffer_size field can be inflated past its configured ceiling, breaking the memory boundary invariant the rest of the vsock code relies on for accounting and allocation. Affected CPEs are all cpe:2.3:o:linux:linux_kernel:* introduced by commit b9f2b0ffde0c (Linux 5.5) and corrected by the five stable backport commits 0b68881…, 2602f7bb…, 310da279…, a998a7e2…, and d114bfdc….

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc1 (or any later release in each branch) which contain the fixed clamping order in vsock_update_buffer_size(); the stable commits are listed at git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536, /2602f7bb5818e92315feeaeb71d8ce4d5c9ab160, /310da27932dd0afe7ce7456dfe1f0814c3301f41, /a998a7e250bf976539e05a00ec64a81292afecaa, and /d114bfdc9b76bf93b881e195b7ec957c14227bab, with distribution backports tracked via https://nvd.nist.gov/vuln/detail/CVE-2026-46234 and EUVD-2026-32752. If patching must be deferred, blacklist the vsock, vmw_vsock_virtio_transport, and vhost_vsock modules (via /etc/modprobe.d) on hosts and guests that do not require VM-to-host socket communication - this fully removes attack surface but breaks any tooling that depends on AF_VSOCK (e.g., some guest agents, Firecracker/Kata workloads, nested virtualization integrations). On systems that need vsock, restrict the ability to open AF_VSOCK sockets to trusted users via seccomp/LSM policy in container runtimes, accepting the trade-off that legitimate guest agents inside untrusted containers will be similarly blocked.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy