What is CVE-2026-23057?

CVE-2026-23057 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.7 onward and patched in 6.12.68, 6.18.8 and 6.19. CVE-2026-23057 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-23057?

CVE-2026-23057 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-23057?

Yes, CVE-2026-23057 has been patched. Fixed versions include 6.12.68, 6.18.8 and 6.19. If you are running Linux kernel 6.7 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-23057 actively exploited?

CVE-2026-23057 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-23057

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear.

Package Linux Kernel

Published 2026-02-04

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.7 and later are affected. Fixed in 6.12.68, 6.18.8, 6.19 and their respective stable series.

Affected from

≥ 6.7

Fixed in

✓ 6.12.68 6.12.x ✓ 6.18.8 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2026-23057 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96
Patch
Kernel patch commit
https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f
Patch
Kernel patch commit
https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72
Patch

Frequently asked questions

What is CVE-2026-23057?

CVE-2026-23057 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.7 onward and has been patched in 6.12.68, 6.18.8 and 6.19. CVE-2026-23057 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-23057?

Yes — CVE-2026-23057 has been patched. Fixed versions include 6.12.68, 6.18.8 and 6.19. If you are running Linux kernel 6.7 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-23057 actively exploited?

No — CVE-2026-23057 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.