Skip to main content

Linux Kernel EUVDEUVD-2026-38862

| CVE-2026-52994 MEDIUM
2026-06-24 Linux GHSA-c44p-q7r3-5852
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local socket creation requires unprivileged credentials (PR:L, AV:L); no data is disclosed (C:N, I:N); unbounded page pinning produces high availability impact (A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 13:25 vuln.today
CVSS changed
Jul 15, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting

virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement.

Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count.

This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.

AnalysisAI

Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local low-privilege shell on vsock-enabled host
Delivery
Create AF_VSOCK socket to listening peer
Exploit
Transmit large payload with MSG_ZEROCOPY flag
Install
Last skb accounting call receives zero size
C2
RLIMIT_MEMLOCK limit bypassed for pinned pages
Execute
Repeat to exhaust kernel-pinned memory
Impact
Host availability degraded

Vulnerability AssessmentAI

Exploitation The attacker must have local, low-privilege access to a Linux system (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is internally consistent with the description: exploitation is strictly local, requires only unprivileged credentials, involves no scope change, and produces an availability impact through uncapped memory pinning. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a virtualized Linux host (e.g., a guest VM or a container with AF_VSOCK access) opens a vsock socket to a listening peer and repeatedly sends large payloads with the MSG_ZEROCOPY flag. Each send causes the kernel to pin the user's pages but only partially accounts for them against RLIMIT_MEMLOCK - specifically, the last skb of each send records zero bytes. …
Remediation Upgrade to Linux kernel 6.18.33, 7.0.10, or 7.1, which contain the corrected virtio_transport_init_zcopy_skb() implementation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy