Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Requires local low-privilege access to initiate vsock connections; impact is availability-only (permanent listener DoS), with no confidentiality or integrity consequences.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
vsock/vmci: fix sk_ack_backlog leak on failed handshake
When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently.
Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover.
The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept().
Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path.
AnalysisAI
The vsock/VMCI transport in the Linux kernel silently leaks the accept queue counter (sk_ack_backlog) on every failed vsock connection handshake, eventually causing a permanent denial of service on any vsock listener. Repeated handshake failures caused by malformed packets, queue pair allocation failures, or event subscription failures each increment sk_ack_backlog without a corresponding decrement; once the counter reaches sk_max_ack_backlog, the listener rejects all subsequent connections with -ECONNREFUSED until the owning process is restarted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target Linux system must be running as a VMware guest or host with the vmci_transport kernel module loaded; (2) an active AF_VSOCK listener must be bound and accepting connections on that system; (3) the attacker must be able to initiate vsock connection requests to that listener, either as a local low-privileged process on the same system or as a process within another guest VM in the same VMware environment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately frames this as a medium-severity, locally-scoped availability-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised guest VM in a VMware environment sends a stream of malformed vsock connection requests-such as packets with invalid queue pair parameters-to a vsock listener on the host or a peer guest. Each failed handshake increments sk_ack_backlog without decrement; after a number of failures equal to sk_max_ack_backlog, the listener silently rejects all subsequent legitimate connections with -ECONNREFUSED, disrupting inter-VM communication (e.g., VMware Tools or custom vsock services) until the process is manually restarted. |
| Remediation | Upgrade to a patched kernel version appropriate for your distribution's LTS branch: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or 7.1 stable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39272
GHSA-6gq6-hxjh-9grq