Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local socket creation requires unprivileged credentials (PR:L, AV:L); no data is disclosed (C:N, I:N); unbounded page pinning produces high availability impact (A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement.
Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count.
This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.
AnalysisAI
Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have local, low-privilege access to a Linux system (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is internally consistent with the description: exploitation is strictly local, requires only unprivileged credentials, involves no scope change, and produces an availability impact through uncapped memory pinning. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a virtualized Linux host (e.g., a guest VM or a container with AF_VSOCK access) opens a vsock socket to a listening peer and repeatedly sends large payloads with the MSG_ZEROCOPY flag. Each send causes the kernel to pin the user's pages but only partially accounts for them against RLIMIT_MEMLOCK - specifically, the last skb of each send records zero bytes. … |
| Remediation | Upgrade to Linux kernel 6.18.33, 7.0.10, or 7.1, which contain the corrected virtio_transport_init_zcopy_skb() implementation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38862
GHSA-c44p-q7r3-5852