Linux Kernel vSock/virtio: Zero Payload in monitoring tap due to iov_iter bug
CVE-2026-46207 Published on May 28, 2026
vsock/virtio: fix empty payload in tap skb for non-linear buffers
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix empty payload in tap skb for non-linear buffers
For non-linear skbs, virtio_transport_build_skb() goes through
virtio_transport_copy_nonlinear_skb() to copy the original payload
in the new skb to be delivered to the vsockmon tap device.
This manually initializes an iov_iter but does not set iov_iter.count.
Since the iov_iter is zero-initialized, the copy length is zero and no
payload is actually copied to the monitor interface, leaving data
un-initialized.
Fix this by removing the linear vs non-linear split and using
skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as
vhost-vsock already does. This handles both linear and non-linear skbs,
properly initializes the iov_iter, and removes the now unused
virtio_transport_copy_nonlinear_skb().
While touching this code, let's also check the return value of
skb_copy_datagram_iter(), even though it's unlikely to fail.
Products Associated with CVE-2026-46207
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 4b0bf10eb077cb43c09746251ef3608d62c45667 and below 06747f52ab157591cec7e5623a759473b66ef6f6 is affected.
- Version 4b0bf10eb077cb43c09746251ef3608d62c45667 and below 52da6a74ca3de0fcda60301096b71534b3b18641 is affected.
- Version 4b0bf10eb077cb43c09746251ef3608d62c45667 and below 378b131a25bd1a5ee27ca199fe486c299d5350c5 is affected.
- Version 4b0bf10eb077cb43c09746251ef3608d62c45667 and below 3a3e3d90cbc79600544536723911657730759af3 is affected.
- Version 6.7 is affected.
- Before 6.7 is unaffected.
- Version 6.12.90, <= 6.12.* is unaffected.
- Version 6.18.32, <= 6.18.* is unaffected.
- Version 7.0.9, <= 7.0.* is unaffected.
- Version 7.1-rc4, <= * is unaffected.