Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Local vsock access with no extra privileges (PR:N) and low complexity (AC:L) lets a guest exhaust host memory (S:C, A:H); no confidentiality or integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix potential unbounded skb queue
virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
virtio_transport_recv_enqueue() skips coalescing for packets with VIRTIO_VSOCK_SEQ_EOM.
If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, a very large number of packets can be queued because vvs->rx_bytes stays at 0.
Fix this by estimating the skb metadata size:
(Number of skbs in the queue) * SKB_TRUESIZE(0)
AnalysisAI
Denial of service in the Linux kernel's virtio vsock transport allows a local actor to exhaust kernel memory by flooding the socket with zero-length packets flagged VIRTIO_VSOCK_SEQ_EOM, which bypass receive-buffer accounting and grow the skb receive queue without bound. The flaw affects the vsock/virtio guest-host communication path and carries CVSS 7.1 (A:H, scope-changed); EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to an AF_VSOCK endpoint with the virtio vsock transport enabled (CONFIG_VSOCKETS plus virtio/vhost vsock loaded) - typically code running inside a guest VM communicating with its host, or a local process on a system using virtio vsock. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a real but bounded, locally-triggered availability risk rather than a widely-exploited emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant with code execution inside a guest VM opens an AF_VSOCK connection to the host and transmits a rapid stream of zero-length packets each flagged VIRTIO_VSOCK_SEQ_EOM. Because these packets never increment rx_bytes, the host kernel queues them without limit, steadily consuming kernel memory until the host degrades or triggers OOM conditions. … |
| Remediation | Apply the vendor-released kernel patch by upgrading to a fixed stable release - Vendor-released patch: 6.12.94, 6.18.36, or 7.0.13 (or your distribution's backported equivalent), corresponding to kernel.org stable commits 059b7dbd, 100d5b2f, 1eca304f, and 9bdc637f. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify Linux systems running virtio vsock (primarily guest VMs in virtualized environments). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39337
GHSA-g7xf-gg8w-vw6h