CVE-2026-46207: Linux vsock/virtio Incomplete Payload Disclosure in Network Monitoring
A flaw in the Linux kernel's vsock/virtio module causes monitoring tools to receive incomplete data when handling certain network packets. Specifically, when the kernel processes non-linear network buffers for the virtual socket monitoring interface (vsockmon), it fails to properly initialize a data structure that controls how much information gets copied. This leaves monitoring tools unable to see the full payload of these packets, potentially obscuring network activity. The issue affects local processes with standard privileges and could be exploited to hide data from network inspection.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix empty payload in tap skb for non-linear buffers For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized. Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb(). While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in virtio_transport_build_skb() within the vsock/virtio subsystem. When processing non-linear socket buffers (skbs), the function calls virtio_transport_copy_nonlinear_skb() to mirror packet data to the vsockmon tap interface. This helper function manually constructs an iov_iter structure but fails to set the iov_iter.count field, which specifies the copy length. Since iov_iter is zero-initialized, the subsequent data copy operation transfers zero bytes, leaving the destination buffer uninitialized. The fix consolidates linear and non-linear code paths by using skb_copy_datagram_iter() with iov_iter_kvec(), matching the approach already in place within vhost-vsock, and adds error checking on the copy operation's return value.
Business impact
Organizations relying on vsockmon for network traffic analysis, debugging, or security monitoring will experience blind spots in their visibility. Virtual machine hosts and container platforms that depend on virtual socket monitoring for troubleshooting or compliance logging could miss critical data, potentially causing gaps in audit trails or hindering incident investigation. The incomplete payload delivery may complicate root-cause analysis of virtual networking issues and could allow malicious activity within virtual environments to evade detection by monitoring infrastructure.
Affected systems
The Linux kernel is affected, specifically systems running kernels with the vulnerable vsock/virtio code path. This includes virtualization hosts, container platforms, and any systems using virtual sockets for inter-process communication over virtio transport. The vulnerability requires local access and standard user-level privileges to trigger. Kernel versions prior to the patch are vulnerable; verify the specific affected versions against the vendor advisory.
Exploitability
Exploitation requires local access to the system and standard user privileges (CWE-401 indicates resource management issues). An attacker cannot trigger this remotely. The barrier to exploitation is low—any local process can create vsock connections that transit through the affected code path. However, the direct security impact is limited to visibility loss rather than code execution or privilege escalation; the vulnerability serves primarily as an information disclosure vector for those actively monitoring vsock traffic.
Remediation
Apply the kernel patch that consolidates the linear and non-linear buffer handling within virtio_transport_build_skb() to use skb_copy_datagram_iter() uniformly. This unified approach ensures iov_iter.count is properly initialized and that copy operations are error-checked. Verify the patched kernel version against the vendor advisory before deployment.
Patch guidance
Update the Linux kernel to a version incorporating the vsock/virtio fix. Consult the vendor advisory for specific patched versions and backport availability for your kernel branch. Test the update in a non-production environment to confirm compatibility with your virtualization or container infrastructure before rolling out to production systems.
Detection guidance
Monitor kernel version compliance against vendor advisories to identify unpatched systems. During incident investigation, note that vsockmon packet captures prior to the patch may be incomplete and should not be treated as a definitive record of all vsock traffic. Systems with custom monitoring or debugging reliant on vsockmon tap interfaces should be re-evaluated post-patch to ensure visibility restoration. Kernel build metadata can confirm whether a running kernel includes the fix.
Why prioritize this
This medium-severity vulnerability (CVSS 5.5) should be addressed during standard patch cycles but does not require emergency out-of-band updates in most environments. However, prioritize patching if your organization relies heavily on virtual socket monitoring for security compliance, debugging, or forensic analysis. The local-only requirement and need for user-level privileges reduce urgency compared to network-exploitable flaws, but the information disclosure aspect makes it relevant for defense-in-depth strategies in virtualized infrastructures.
Risk score, explained
CVSS 5.5 reflects medium severity: the vulnerability requires local access (AV:L) and standard user privileges (PR:L), ruling out remote or escalated exploitation vectors. The attack is straightforward once local access is obtained (AC:L), but the direct impact is limited to availability of monitoring data (A:H) with no confidentiality or integrity compromise of the system itself. The user-initiated trigger mechanism and localized scope prevent a higher score despite the certainty of the impact on monitoring visibility.
Frequently asked questions
Who is affected by this vulnerability?
Any organization running Linux kernels with the vulnerable vsock/virtio code is affected. This primarily impacts virtualization hosts, container platforms, and systems using virtual sockets. Systems relying on vsockmon for traffic monitoring, debugging, or compliance logging will experience incomplete visibility into vsock communications.
Can this vulnerability be exploited remotely?
No. The vulnerability requires local access to the system and standard user-level privileges. It cannot be exploited over a network.
What data is at risk?
The data affected is the payload visible to network monitoring tools (vsockmon tap interface). Attackers cannot directly exfiltrate system data via this vulnerability, but they can cause monitoring infrastructure to receive incomplete packet information, potentially hiding activity from inspection.
Why is this a 'MEDIUM' severity instead of 'HIGH'?
The severity is MEDIUM because the vulnerability is local-only, requires standard user privileges, and does not lead to code execution or privilege escalation. Impact is confined to monitoring visibility rather than system compromise. Environments where vsockmon monitoring is less critical will see lower business risk.
This analysis is provided for informational purposes and based on the public vulnerability record. Verify all patch versions, affected kernel branches, and remediation steps against the official Linux kernel security advisory and your vendor's guidance. SEC.co does not provide warranty regarding the completeness or accuracy of this information. Organizations should conduct their own risk assessment based on their specific infrastructure and threat model before deploying patches or changes to monitoring systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak
- CVE-2026-46171MEDIUMLinux RISC-V KVM Vector Context Memory Leak
- CVE-2026-46182MEDIUMLinux Kernel PAPR Hypervisor Pipe Information Disclosure Vulnerability
- CVE-2026-46221MEDIUMLinux Kernel EDAC Versalnet Memory Leak Vulnerability