Skip to main content

Linux Kernel CVE-2026-53181

| EUVDEUVD-2026-39272 MEDIUM
Memory Leak (CWE-401)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6gq6-hxjh-9grq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Requires local low-privilege access to initiate vsock connections; impact is availability-only (permanent listener DoS), with no confidentiality or integrity consequences.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 12:53 vuln.today
CVSS changed
Jul 06, 2026 - 12:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

vsock/vmci: fix sk_ack_backlog leak on failed handshake

When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently.

Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover.

The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept().

Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path.

AnalysisAI

The vsock/VMCI transport in the Linux kernel silently leaks the accept queue counter (sk_ack_backlog) on every failed vsock connection handshake, eventually causing a permanent denial of service on any vsock listener. Repeated handshake failures caused by malformed packets, queue pair allocation failures, or event subscription failures each increment sk_ack_backlog without a corresponding decrement; once the counter reaches sk_max_ack_backlog, the listener rejects all subsequent connections with -ECONNREFUSED until the owning process is restarted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access VMware guest environment with low-privilege process
Delivery
Identify active vsock/VMCI listener on target host or peer guest
Exploit
Send repeated malformed vsock connection requests (invalid queue pair params)
Execution
Each failed handshake leaks sk_ack_backlog increment
Persist
sk_ack_backlog reaches sk_max_ack_backlog limit
Impact
Vsock listener permanently refuses all new connections with -ECONNREFUSED

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target Linux system must be running as a VMware guest or host with the vmci_transport kernel module loaded; (2) an active AF_VSOCK listener must be bound and accepting connections on that system; (3) the attacker must be able to initiate vsock connection requests to that listener, either as a local low-privileged process on the same system or as a process within another guest VM in the same VMware environment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately frames this as a medium-severity, locally-scoped availability-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised guest VM in a VMware environment sends a stream of malformed vsock connection requests-such as packets with invalid queue pair parameters-to a vsock listener on the host or a peer guest. Each failed handshake increments sk_ack_backlog without decrement; after a number of failures equal to sk_max_ack_backlog, the listener silently rejects all subsequent legitimate connections with -ECONNREFUSED, disrupting inter-VM communication (e.g., VMware Tools or custom vsock services) until the process is manually restarted.
Remediation Upgrade to a patched kernel version appropriate for your distribution's LTS branch: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or 7.1 stable. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy