CVE-2026-23069

If the peer shrinks its advertised buffer (peerbufalloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle.

Reuse virtiotransporthas_space() which already handles this case and add a comment to make it clear why we are doing that.

[Stefano: use virtiotransporthas_space() instead of duplicating the code] [Stefano: tweak the commit message]

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23069.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

06a8fc78367d070720af960dcecec917d3ae5f3b

Fixed

d96de882d6b99955604669d962ae14e94b66a551

Fixed

02f9af192b98d15883c70dd41ac76d1b0217c899

Fixed

d05bc313788f0684b27f0f5b60c52a844669b542

Fixed

ec0f1b3da8061be3173d1c39faaf9504f91942c3

Fixed

3ef3d52a1a9860d094395c7a3e593f3aa26ff012

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23069.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.8.0

Fixed

6.1.162

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.122

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.68

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23069.json"