Bug 2482528 (CVE-2026-46207) - CVE-2026-46207 kernel: vsock/virtio: fix empty payload in tap skb for non-linear buffers
Summary: CVE-2026-46207 kernel: vsock/virtio: fix empty payload in tap skb for non-lin...
Keywords:
Status: NEW
Alias: CVE-2026-46207
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 11:01 UTC by OSIDB Bzimport
Modified: 2026-05-28 13:29 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 11:01:46 UTC 
In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix empty payload in tap skb for non-linear buffers

For non-linear skbs, virtio_transport_build_skb() goes through
virtio_transport_copy_nonlinear_skb() to copy the original payload
in the new skb to be delivered to the vsockmon tap device.
This manually initializes an iov_iter but does not set iov_iter.count.
Since the iov_iter is zero-initialized, the copy length is zero and no
payload is actually copied to the monitor interface, leaving data
un-initialized.

Fix this by removing the linear vs non-linear split and using
skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as
vhost-vsock already does. This handles both linear and non-linear skbs,
properly initializes the iov_iter, and removes the now unused
virtio_transport_copy_nonlinear_skb().

While touching this code, let's also check the return value of
skb_copy_datagram_iter(), even though it's unlikely to fail.
Comment 1 Keith Grant 2026-05-28 13:26:51 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052834-CVE-2026-46207-6281@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.