CVE-2026-52994
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting virtio_transport_init_zcopy_skb() uses iter->count as the size argument for msg_zerocopy_realloc(), which in turn passes it to mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this function is called after virtio_transport_fill_skb() has already consumed the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count will be 0, skipping the RLIMIT_MEMLOCK enforcement. Pass pkt_len (the total bytes being sent) as an explicit parameter to virtio_transport_init_zcopy_skb() instead of reading the already-consumed iter->count. This matches TCP and UDP, which both call msg_zerocopy_realloc() with the original message size.
Affected versions
Linux kernel versions
6.7
and later are affected. Fixed in
6.18.33,
7.0.10,
7.1
and their respective stable series.
References
3 totalFrequently asked questions
-
What is CVE-2026-52994?
CVE-2026-52994 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.7 onward and has been patched in 6.18.33, 7.0.10 and 7.1. CVE-2026-52994 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2026-52994?
Yes — CVE-2026-52994 has been patched. Fixed versions include 6.18.33, 7.0.10 and 7.1. If you are running Linux kernel 6.7 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2026-52994 actively exploited?
No — CVE-2026-52994 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.