In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
virtiotransportinitzcopyskb() uses iter->count as the size argument for msgzerocopyrealloc(), which in turn passes it to mmaccountpinnedpages() for RLIMITMEMLOCK accounting. However, this function is called after virtiotransportfill_skb() has already consumed the iterator via __zerocopysgfromiter(), so on the last skb, iter->count will be 0, skipping the RLIMITMEMLOCK enforcement.
Pass pktlen (the total bytes being sent) as an explicit parameter to virtiotransportinitzcopy_skb() instead of reading the already-consumed iter->count.
This matches TCP and UDP, which both call msgzerocopyrealloc() with the original message size.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52994.json"
}