CVE-2026-53181

In the Linux kernel, the following vulnerability has been resolved:

vsock/vmci: fix sk ack backlog leak on failed handshake

When vmci transport recv connecting server() returns an error, vmci transport recv listen() calls vsock remove pending() but never calls sk acceptq removed(). This leaves sk ack backlog incremented permanently.

Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk ack backlog to climb toward sk max ack backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover.

The two existing sk acceptq removed() calls in af vsock.c do not cover this path: line 764 checks vsock is pending() which returns false after vsock remove pending(), and line 1889 is only reached on successful accept().

Fix by balancing sk acceptq added() with sk acceptq removed() on the error path.