CVE-2026-53365 in Linux
Summary
by MITRE • 07/13/2026
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix zerocopy completion for multi-skb sends
When a large message is fragmented into multiple skbs, the zerocopy uarg is only allocated and attached to the last skb in the loop. Non-final skbs carry pinned user pages with no completion tracking, so the kernel has no way to notify userspace when those pages are safe to reuse. If the loop breaks early the uarg is never allocated at all, leaking pinned pages with no completion notification.
Fix this by following the approach used by TCP: allocate the zerocopy uarg (if not provided by the caller) before the send loop and attach it to every skb via skb_zcopy_set(), which takes a reference per skb. Each skb's completion properly decrements the refcount, and the notification only fires after the last skb is freed. On failure, if no data was sent, the uarg is cleanly aborted via net_zcopy_put_abort().
This issue was initially discovered by sashiko while reviewing commit 1cb36e252211 ("vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting") but was pre-existing.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/13/2026
The vulnerability described affects the Linux kernel's virtual socket implementation, specifically within the virtio vsock driver that facilitates communication between guest and host virtual machines. This flaw exists in the handling of zero-copy send operations where large messages are fragmented into multiple socket buffers or skbs. The technical root cause lies in improper allocation and attachment of user space page tracking structures during multi-skb message transmission, creating a critical memory management gap that can lead to resource leaks and potential denial of service conditions.
The vulnerability manifests when the kernel processes large messages that must be broken down into smaller fragments for transmission across virtualized networks. During this fragmentation process, the zero-copy user argument structure containing page tracking information is only allocated and attached to the final skb in the processing loop. This design creates a fundamental flaw where intermediate skbs retain pinned user pages without proper completion tracking mechanisms, meaning the kernel cannot signal when these memory pages are safely available for reuse by userspace applications. The absence of completion notification for non-final skbs represents a significant gap in the kernel's memory management accounting system.
The operational impact of this vulnerability extends beyond simple resource leakage to potentially enable denial of service conditions within virtualized environments. When the processing loop terminates early due to errors or other conditions, the zero-copy user argument structure never gets allocated at all, resulting in pinned pages that remain unreleased indefinitely. This scenario creates a memory consumption issue where user space pages become permanently pinned, preventing their reuse and potentially leading to system-wide memory exhaustion. The vulnerability affects virtual machine communications where zero-copy optimizations are utilized, particularly in scenarios involving large data transfers or high-throughput network operations.
The fix implemented follows established kernel patterns used by TCP stack implementations for managing zero-copy operations, ensuring proper reference counting and completion tracking across all fragments of a multi-skb message. By allocating the zero-copy user argument structure before entering the send loop and attaching it to every individual skb via the skb_zcopy_set() function, each fragment maintains its own reference count that properly decrements as the skb is processed and freed. This approach ensures that notification to userspace only occurs after the final skb in the sequence has been completely released, maintaining proper synchronization between kernel memory management and userspace page availability. The solution handles failure conditions gracefully by aborting the zero-copy operation through net_zcopy_put_abort() when no data has been successfully transmitted, preventing resource leaks even during error scenarios.
This vulnerability aligns with CWE-401 (Improper Release of Memory) and represents a classic case of improper resource management in kernel space. The flaw demonstrates how complex memory tracking systems can fail when edge cases such as early loop termination are not properly considered during implementation. From an attack perspective, this issue could be exploited to exhaust system resources through sustained large message transmissions that create pinned page leaks. The fix addresses these concerns by implementing proper reference counting mechanisms and ensuring complete cleanup even under error conditions, aligning with the ATT&CK framework's system resource exhaustion techniques prevention patterns where kernel memory management is properly maintained throughout all code paths.