Linux Kernel vsock/virtio MSG_ZEROCOPY Pinned-Pages Accounting Bypass (CVE-2026-52994) (Medium) -DC-Jul2026-1014

Listen to this Post

How the Vulnerability Works

The Linux kernel’s vsock/virtio transport layer provides socket communication between virtual machines and their hosts. A critical accounting flaw exists in the `MSG_ZEROCOPY` mechanism, which is designed to optimize data transfer by pinning user-space memory pages and reusing them directly for network transmission, avoiding costly data copies.
The vulnerability resides in the `virtio_transport_init_zcopy_skb()` function. This function is responsible for initializing zero-copy skbs (socket buffers) and accounting for the pinned memory pages against the process’s `RLIMIT_MEMLOCK` resource limit. The accounting is performed by msg_zerocopy_realloc(), which ultimately calls `mm_account_pinned_pages()` to enforce the memory lock limit.
The core issue lies in how the size argument for `msg_zerocopy_realloc()` is derived. The function uses `iter->count` as the size parameter. However, `virtio_transport_init_zcopy_skb()` is invoked after `virtio_transport_fill_skb()` has already processed the iterator via __zerocopy_sg_from_iter(). By the time the accounting function is called, the iterator has been fully consumed. For the last skb in a multi-segment transmission, `iter->count` becomes 0 because no bytes remain to be iterated.
As a result, `msg_zerocopy_realloc()` receives a size of 0 and skips the call to `mm_account_pinned_pages()` entirely. This means the kernel fails to account for the pinned pages against the process’s locked memory limit. An attacker can exploit this by sending large zero-copy messages that pin substantial amounts of memory, bypassing the `RLIMIT_MEMLOCK` restriction entirely.
This flaw was introduced in kernel version 6.7 with commit `581512a6dc93` and affects all subsequent versions up to 6.18.32 and 7.0.9. The fix involves passing `pkt_len` (the total original message size) as an explicit parameter to virtio_transport_init_zcopy_skb(), aligning the behavior with TCP and UDP implementations which both use the original message size for accounting. The vulnerability is classified as CWE-911 (Improper Resource Shutdown or Release) and has been assigned a CVSS base score of 5.5 (Medium) by Red Hat, with a local attack vector, low attack complexity, low privileges required, and no user interaction.

DailyCVE Form

| Field | Value |

|–|–|

| Platform | Linux Kernel |

| Version | 6.7 – 6.18.32, 7.0.9 |

| Vulnerability | RLIMIT_MEMLOCK bypass |

| Severity | Medium (CVSS 5.5) |

| Date | 2026-06-24 |

| Prediction | 2026-06-24 (fixed) |

What Undercode Say: Analytics & Verification

To verify the vulnerability and confirm the fix, the following commands and code snippets can be used:

Check kernel version:

uname -r

Verify if the fix is present (look for the patch commit):

git log --oneline --grep="vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting"

Inspect the vulnerable function (pre-fix):

// net/vmw_vsock/virtio_transport_common.c
static int virtio_transport_init_zcopy_skb(struct sock sk, struct sk_buff skb,
struct msghdr msg, size_t len)
{
// VULNERABLE: uses iter->count which is already consumed
return msg_zerocopy_realloc(sk, skb, msg->msg_iter.count);
}

Patched version (post-fix):

// net/vmw_vsock/virtio_transport_common.c
static int virtio_transport_init_zcopy_skb(struct sock sk, struct sk_buff skb,
struct msghdr msg, size_t pkt_len)
{
// FIXED: uses explicit pkt_len parameter
return msg_zerocopy_realloc(sk, skb, pkt_len);
}

Trigger the vulnerability (conceptual PoC in C):

// Send a large zero-copy message via vsock
int s = socket(AF_VSOCK, SOCK_STREAM, 0);
connect(s, ...);
send(s, large_buffer, 128 1024 1024, MSG_ZEROCOPY);
// The last skb will have iter->count = 0, skipping RLIMIT_MEMLOCK check

Monitor locked memory usage:

grep VmLck /proc/self/status Check locked memory before/after exploit

Exploit

An attacker with local low-privileged access can exploit this vulnerability to bypass the `RLIMIT_MEMLOCK` limit. By sending a large zero-copy message split across multiple skbs, the final segment triggers the accounting bypass. This allows the attacker to pin an arbitrary amount of physical memory, potentially leading to denial of service (memory exhaustion) or facilitating other attacks that require large locked memory regions. The exploit requires the ability to create vsock sockets, which is typically available in virtualized environments or containers using vsock communication.

Protection

  • Immediate: Apply the kernel patch. Fixed versions are:
  • 6.18.33 and later
  • 7.0.10 and later
  • 7.1 and later
  • Backports: Check your distribution for backported fixes (e.g., Debian bullseye 5.10.223-1, bookworm 6.1.170-3, sid 7.0.13-1).
  • Mitigation: If patching is not immediately possible, consider disabling `MSG_ZEROCOPY` for vsock sockets or restricting access to vsock devices (though this may break legitimate functionality).
  • Monitoring: Audit processes that use vsock with `MSG_ZEROCOPY` and monitor locked memory usage (/proc/<pid>/status).

Impact

  • Confidentiality: None.
  • Integrity: None.
  • Availability: High. An attacker can exhaust system memory by pinning large amounts of RAM, leading to denial of service.
  • Scope: Local-only; requires low privileges and vsock access.
  • Affected Environments: Virtualized environments, containers, and any system using vsock/virtio for guest-host communication (e.g., QEMU/KVM, VMware, some cloud setups).

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top