In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix empty payload in tap skb for non-linear buffers
For non-linear skbs, virtiotransportbuildskb() goes through virtiotransportcopynonlinearskb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an ioviter but does not set ioviter.count. Since the ioviter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.
Fix this by removing the linear vs non-linear split and using skbcopydatagramiter() with ioviterkvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the ioviter, and removes the now unused virtiotransportcopynonlinearskb().
While touching this code, let's also check the return value of skbcopydatagram_iter(), even though it's unlikely to fail.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46207.json"
}