Description

In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: fix sk_ack_backlog leak on failed handshake When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently. Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover. The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept(). Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path.

Affected products

VendorProductVersions
LinuxLinuxd021c344051af91f42c5ba9fdedc176740cbd238 to <22c587aa3ab1ab5264daff3ec32136fd30436c13; d021c344051af91f42c5ba9fdedc176740cbd238 to <cf7090e255d74c4b61c51f8ede9fcacdd8393b5b; d021c344051af91f42c5ba9fdedc176740cbd238 to <ea0b03d52881c12a8c634ea0d6cbfa61cefdb488; d021c344051af91f42c5ba9fdedc176740cbd238 to <dfd853197615d322d3a88dbcab91fc0fd2096219; d021c344051af91f42c5ba9fdedc176740cbd238 to <bcb275626055df7f8f947f1a349754b4004d9a15; d021c344051af91f42c5ba9fdedc176740cbd238 to <ba9ad6015937a5e46ba1a31370e3efdec8abbdcc; d021c344051af91f42c5ba9fdedc176740cbd238 to <9698582a4dd9c4a05889d7db96d4c0edc9e69cac; d021c344051af91f42c5ba9fdedc176740cbd238 to <c05fa14db43ebef3bd862ca9d073981c0358b3f0
LinuxLinux3.9; 0 to <3.9; 5.10.259 to <=5.10.*; 5.15.210 to <=5.15.*; 6.1.176 to <=6.1.*; 6.6.143 to <=6.6.*; 6.12.94 to <=6.12.*; 6.18.36 to <=6.18.*; 7.0.13 to <=7.0.*; 7.1 to <=*

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 25 Jun 2026 10:14 UTC.