GHSA-C7CV-93JX-FC79
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix empty payload in tap skb for non-linear buffers
For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.
Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().
While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.
{
"affected": [],
"aliases": [
"CVE-2026-46207"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:36Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix empty payload in tap skb for non-linear buffers\n\nFor non-linear skbs, virtio_transport_build_skb() goes through\nvirtio_transport_copy_nonlinear_skb() to copy the original payload\nin the new skb to be delivered to the vsockmon tap device.\nThis manually initializes an iov_iter but does not set iov_iter.count.\nSince the iov_iter is zero-initialized, the copy length is zero and no\npayload is actually copied to the monitor interface, leaving data\nun-initialized.\n\nFix this by removing the linear vs non-linear split and using\nskb_copy_datagram_iter() with iov_iter_kvec() for all cases, as\nvhost-vsock already does. This handles both linear and non-linear skbs,\nproperly initializes the iov_iter, and removes the now unused\nvirtio_transport_copy_nonlinear_skb().\n\nWhile touching this code, let\u0027s also check the return value of\nskb_copy_datagram_iter(), even though it\u0027s unlikely to fail.",
"id": "GHSA-c7cv-93jx-fc79",
"modified": "2026-05-28T12:30:32Z",
"published": "2026-05-28T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46207"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06747f52ab157591cec7e5623a759473b66ef6f6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/378b131a25bd1a5ee27ca199fe486c299d5350c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a3e3d90cbc79600544536723911657730759af3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52da6a74ca3de0fcda60301096b71534b3b18641"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.