CVE-2026-46214: Linux vsock Accept Queue Leak Causes Listener Denial of Service
A flaw in the Linux kernel's virtual socket (vsock) implementation can cause connection listeners to stop accepting new connections after a small number of transport negotiation failures. The bug occurs in the virtio transport layer when the code increments an internal counter to track pending connections but fails to decrement it if the transport negotiation fails. After enough failed attempts, the listener incorrectly believes its connection queue is full and rejects all new incoming connections, effectively causing a denial of service for applications relying on vsock communication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix accept queue count leak on transport mismatch virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in virtio_transport_recv_listen() within the vsock/virtio subsystem. The function calls sk_acceptq_added() to increment the accept queue backlog counter before validating and assigning the appropriate transport via vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling the corresponding sk_acceptq_removed(), leaving the backlog counter in an inconsistent state. After approximately backlog+1 such failures, sk_acceptq_is_full() incorrectly returns true, causing the listener socket to reject all new connections. The fix relocates sk_acceptq_added() to execute after successful transport validation, aligning the implementation with existing patterns in vmci_transport and hyperv_transport.
Business impact
Applications using vsock for inter-process or inter-VM communication on Linux systems may experience unexpected connection rejections after repeated transport negotiation issues. This denial-of-service condition could disrupt container-to-host communication, virtual machine management operations, or other vsock-dependent services. The impact manifests gradually—after a threshold of failed connections is reached, the listener becomes unresponsive to all new connection attempts until the process is restarted, forcing service interruption or recovery procedures.
Affected systems
The vulnerability affects the Linux kernel vsock/virtio transport implementation. Any Linux system running a vulnerable kernel version and hosting applications that use vsock for network-like communication is potentially affected. This includes container runtimes, hypervisor management layers, and any user-space application communicating via /dev/vsock sockets. The vulnerability is platform-independent within Linux but only manifests when vsock is actively in use and transport selection failures occur.
Exploitability
The vulnerability requires local access to trigger—specifically, the ability to initiate vsock connections on the affected system. An unprivileged local user can attempt connections with invalid or mismatched transport configurations to incrementally exhaust the accept queue. No special kernel privileges, network access, or exploit code is required; repeated connection attempts with transport mismatches will gradually degrade the listener's availability. The barrier to exploitation is low due to the local-only requirement and the passive nature of the bug (no active exploitation mechanism needed beyond normal vsock usage).
Remediation
Patch the Linux kernel to a version containing the fix. The remediation involves moving the sk_acceptq_added() call to execute only after vsock_assign_transport() has successfully validated and selected a transport, ensuring the backlog counter remains consistent. Affected administrators should check their kernel's patch status and apply security updates from their Linux distribution. Kernel module rebuilds or backported patches may be necessary for older supported kernels if the distribution has not yet released a patched version.
Patch guidance
Apply the latest kernel security update from your Linux distribution that includes this vsock/virtio fix. Verify against the vendor advisory that the specific patch addressing the accept queue count leak in vsock/virtio is included. Reboot the system after applying kernel updates to activate the patched code. If running a custom or long-term support kernel, check the kernel security tracking resources or your vendor's advisory to confirm the fix has been applied to your kernel version.
Detection guidance
Monitor for increased connection rejections on vsock listeners, particularly after transport-related errors in kernel logs. Systems experiencing the issue will show accept queue backlog counter growing persistently without corresponding decrements. Observe kernel logs for vsock transport assignment failures or mismatches coinciding with application-level connection refusals. Restart the listening application and observe whether connections are briefly accepted again before the counter leaks resume—this pattern is diagnostic of the vulnerability.
Why prioritize this
Although the CVSS score is medium (5.5) and local access is required, the vulnerability can cause a complete denial of service for critical inter-process and inter-VM communication channels. Container orchestration, hypervisor management, and secure enclave communication may all rely on vsock. The gradual nature of the degradation (connections work until a threshold is reached) makes it particularly insidious for production environments where sporadic failures may be initially misdiagnosed as application bugs rather than a kernel issue. Prioritize patching for systems where vsock is actively used for mission-critical communication.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM, AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects a local-only attack vector with low complexity and low privilege requirements, resulting in high availability impact but no confidentiality or integrity consequences. The score accurately captures the denial-of-service nature of the flaw. However, context matters: environments where vsock carries critical workload communication should treat this as higher priority than the base score suggests, while systems not using vsock can deprioritize it.
Frequently asked questions
Does this vulnerability affect my system if I'm not using vsock?
No. The vulnerability only manifests in the vsock/virtio transport layer when applications actively use vsock sockets for communication. If your system does not have vsock-dependent workloads—such as container runtimes with vsock pass-through, hypervisor management tools, or secure enclave communication—the vulnerability poses no practical risk.
Can this be exploited remotely or only locally?
Only locally. The vulnerability requires the ability to initiate vsock connections on the affected system, which is limited to local users or processes on that system. Remote attackers cannot trigger this vulnerability over the network.
What happens if I ignore this vulnerability?
Over time, the accept queue backlog counter will leak, eventually causing the vsock listener to reject all new connections. Applications will experience connection failures that persist until the listening process is restarted. The impact accumulates with each failed connection attempt, so systems experiencing frequent transport negotiation failures will degrade faster.
Will simply restarting the listening application fix the problem?
Yes, restarting the application resets the accept queue counter, temporarily restoring functionality. However, the underlying kernel bug remains, and the counter will leak again if transport failures recur. A kernel patch is required for a permanent fix.
This analysis is based on the published CVE description and CVSS scoring data as of the modification date. Specific patch versions, exact affected kernel releases, and vendor-specific mitigations are not detailed here; consult your Linux distribution's security advisory for precise patching guidance. Exploitation requires local system access and vsock active use. No proof-of-concept code or weaponized exploit details are provided. Organizations should verify patch applicability against their kernel versions and deployment contexts. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure