Description
In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: fix sk_ack_backlog leak on failed handshake When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently. Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover. The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept(). Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path.
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | d021c344051af91f42c5ba9fdedc176740cbd238 to <22c587aa3ab1ab5264daff3ec32136fd30436c13; d021c344051af91f42c5ba9fdedc176740cbd238 to <cf7090e255d74c4b61c51f8ede9fcacdd8393b5b; d021c344051af91f42c5ba9fdedc176740cbd238 to <ea0b03d52881c12a8c634ea0d6cbfa61cefdb488; d021c344051af91f42c5ba9fdedc176740cbd238 to <dfd853197615d322d3a88dbcab91fc0fd2096219; d021c344051af91f42c5ba9fdedc176740cbd238 to <bcb275626055df7f8f947f1a349754b4004d9a15; d021c344051af91f42c5ba9fdedc176740cbd238 to <ba9ad6015937a5e46ba1a31370e3efdec8abbdcc; d021c344051af91f42c5ba9fdedc176740cbd238 to <9698582a4dd9c4a05889d7db96d4c0edc9e69cac; d021c344051af91f42c5ba9fdedc176740cbd238 to <c05fa14db43ebef3bd862ca9d073981c0358b3f0 |
| Linux | Linux | 3.9; 0 to <3.9; 5.10.259 to <=5.10.*; 5.15.210 to <=5.15.*; 6.1.176 to <=6.1.*; 6.6.143 to <=6.6.*; 6.12.94 to <=6.12.*; 6.18.36 to <=6.18.*; 7.0.13 to <=7.0.*; 7.1 to <=* |
References
- https://git.kernel.org/stable/c/22c587aa3ab1ab5264daff3ec32136fd30436c13
- https://git.kernel.org/stable/c/cf7090e255d74c4b61c51f8ede9fcacdd8393b5b
- https://git.kernel.org/stable/c/ea0b03d52881c12a8c634ea0d6cbfa61cefdb488
- https://git.kernel.org/stable/c/dfd853197615d322d3a88dbcab91fc0fd2096219
- https://git.kernel.org/stable/c/bcb275626055df7f8f947f1a349754b4004d9a15
- https://git.kernel.org/stable/c/ba9ad6015937a5e46ba1a31370e3efdec8abbdcc
- https://git.kernel.org/stable/c/9698582a4dd9c4a05889d7db96d4c0edc9e69cac
- https://git.kernel.org/stable/c/c05fa14db43ebef3bd862ca9d073981c0358b3f0
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.