Listen to this Post
In the Linux kernel, a potential integer underflow vulnerability was identified in the vsock/virtio transport mechanism. The function `virtio_transport_get_credit()` calculates available buffer space for transmission using unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt). If a malicious or buggy peer on the same host shrinks its advertised buffer size (peer_buf_alloc) while there are still bytes in flight (i.e., `vvs->tx_cnt` is greater than vvs->peer_fwd_cnt), the intermediate calculation `(vvs->tx_cnt – vvs->peer_fwd_cnt)` could be smaller, but the critical issue is that the overall subtraction in an unsigned context can underflow. Instead of resulting in a negative number (which would correctly indicate no credit), the underflow wraps around to a very large positive value. This would incorrectly signal to the sender that the peer has ample space, leading the sender to queue more data than the peer’s actual buffer can accommodate. This violates the protocol’s credit-based flow control and can lead to memory exhaustion or data corruption on the receiving side. The fix replaces the vulnerable direct calculation with a call to virtio_transport_has_space(), a helper function that correctly handles this edge case by performing the necessary checks to prevent underflow .
dailycve form:
Platform: Linux Kernel
Version: 4.8 to 6.19-rc7
Vulnerability :Integer Underflow
Severity: Low
date: February 4, 2026
Prediction: Patches Available
What Undercode Say:
Analytics
The vulnerability resides in net/vmw_vsock/virtio_transport_common.c. The flawed logic is in the credit calculation used for flow control. By manipulating the advertised buffer size (peer_buf_alloc) during active data transfer, a local attacker can trigger an unsigned integer underflow. This results in the sender believing more credit is available than actually exists, leading to buffer over-allocation on the receiver.
Bash/Code
View the vulnerable code logic (conceptual):
The vulnerable calculation in virtio_transport_get_credit() ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); This is an unsigned operation. If peer_buf_alloc is small and (tx_cnt - peer_fwd_cnt) is large, the result wraps to a high value.
The corrected approach reuses an existing safe function:
// The fix replaces the direct calculation // ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); // with a call to a helper that performs safe checks. // For example, the logic within virtio_transport_has_space() is now used. // Patching commands for a Debian-based system: sudo apt-get update sudo apt-get upgrade linux-image-$(uname -r) sudo reboot
Exploit
A local user on the host system could potentially exploit this. By opening a vsock connection and carefully controlling the timing of buffer advertisement shrinkage relative to data transmission, the attacker on one end of the socket could cause the peer (a VM or host process) to miscalculate buffer space. This could lead to a denial of service by exhausting memory on the receiver or potentially corrupting data if the over-filled buffer is mishandled .
Protection from this CVE
Apply the stable kernel updates provided by your distribution. The fix is included in kernel versions 6.6.122, 6.12.68, 6.18.8, and 6.19-rc7 and later. For Debian, ensure `linux` package is updated to version `6.1.162-1` for bookworm or later . For Ubuntu, update to the rectified versions for noble, jammy, and focal as per the security notices .
Impact
If exploited, this vulnerability allows a local attacker to cause a denial of service (memory exhaustion) on a peer connected via a virtio-vsock socket. In some scenarios, this could potentially lead to arbitrary code execution if the subsequent buffer mismanagement creates a memory corruption vulnerability .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
