CVE-2026-46207

Source
https://cve.org/CVERecord?id=CVE-2026-46207
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46207.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46207
Downstream
Related
Published
2026-05-28T09:40:25.583Z
Modified
2026-07-15T01:48:52.499722246Z
Summary
vsock/virtio: fix empty payload in tap skb for non-linear buffers
Details

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: fix empty payload in tap skb for non-linear buffers

For non-linear skbs, virtiotransportbuildskb() goes through virtiotransportcopynonlinearskb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an ioviter but does not set ioviter.count. Since the ioviter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.

Fix this by removing the linear vs non-linear split and using skbcopydatagramiter() with ioviterkvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the ioviter, and removes the now unused virtiotransportcopynonlinearskb().

While touching this code, let's also check the return value of skbcopydatagram_iter(), even though it's unlikely to fail.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46207.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4b0bf10eb077cb43c09746251ef3608d62c45667
Fixed
06747f52ab157591cec7e5623a759473b66ef6f6
Fixed
52da6a74ca3de0fcda60301096b71534b3b18641
Fixed
378b131a25bd1a5ee27ca199fe486c299d5350c5
Fixed
3a3e3d90cbc79600544536723911657730759af3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46207.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.90
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.32
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46207.json"