What is CVE-2026-46207?

CVE-2026-46207 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.7 onward and patched in 6.12.90, 6.18.32, 7.0.9 and others. CVE-2026-46207 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46207?

CVE-2026-46207 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46207?

Yes, CVE-2026-46207 has been patched. Fixed versions include 6.12.90, 6.18.32, 7.0.9 and others. If you are running Linux kernel 6.7 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46207 actively exploited?

CVE-2026-46207 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46207

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix empty payload in tap skb for non-linear buffers For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized. Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb(). While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.

Package Linux Kernel

Published 2026-05-28

Last modified 2026-05-28

Patch available

Yes

Affected versions

Linux kernel versions 6.7 and later are affected. Fixed in 6.12.90, 6.18.32, 7.0.9, 7.1-rc4 and their respective stable series.

Affected from

≥ 6.7

Fixed in

✓ 6.12.90 6.12.x ✓ 6.18.32 6.18.x ✓ 7.0.9 7.0.x ✓ 7.1-rc4

References

The following references provide additional information about CVE-2026-46207 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/06747f52ab157591cec7e5623a759473b66ef6f6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/378b131a25bd1a5ee27ca199fe486c299d5350c5
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3a3e3d90cbc79600544536723911657730759af3
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-46207?

CVE-2026-46207 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.7 onward and has been patched in 6.12.90, 6.18.32, 7.0.9 and others. CVE-2026-46207 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46207?

Yes — CVE-2026-46207 has been patched. Fixed versions include 6.12.90, 6.18.32, 7.0.9 and others. If you are running Linux kernel 6.7 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46207 actively exploited?

No — CVE-2026-46207 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.