diff --git a/vmm/src/config.rs b/vmm/src/config.rs
index 7ed48e0dd..3342c2cb9 100644
--- a/vmm/src/config.rs
+++ b/vmm/src/config.rs
@@ -153,6 +153,8 @@ pub enum ValidationError {
     TooManyQueues,
     /// Need shared memory for vfio-user
     UserDevicesRequireSharedMemory,
+    /// VSOCK Context Identifier has a special meaning, unsuitable for a VM.
+    VsockSpecialCid(u64),
     /// Memory zone is reused across NUMA nodes
     MemoryZoneReused(String, u32, u32),
     /// Invalid number of PCI segments
@@ -241,6 +243,9 @@ impl fmt::Display for ValidationError {
                     "Using user devices requires using shared memory or huge pages"
                 )
             }
+            VsockSpecialCid(cid) => {
+                write!(f, "{cid} is a special VSOCK CID")
+            }
             MemoryZoneReused(s, u1, u2) => {
                 write!(
                     f,
@@ -2065,6 +2070,12 @@ impl VmConfig {
             }
         }
 
+        if let Some(vsock) = &self.vsock {
+            if [u32::MAX as u64, 0, 1, 2].contains(&vsock.cid) {
+                return Err(ValidationError::VsockSpecialCid(vsock.cid));
+            }
+        }
+
         if let Some(balloon) = &self.balloon {
             let mut ram_size = self.memory.size;
 
@@ -3041,9 +3052,9 @@ mod tests {
         // socket and cid is required
         assert!(VsockConfig::parse("").is_err());
         assert_eq!(
-            VsockConfig::parse("socket=/tmp/sock,cid=1")?,
+            VsockConfig::parse("socket=/tmp/sock,cid=3")?,
             VsockConfig {
-                cid: 1,
+                cid: 3,
                 socket: PathBuf::from("/tmp/sock"),
                 iommu: false,
                 id: None,
@@ -3051,9 +3062,9 @@ mod tests {
             }
         );
         assert_eq!(
-            VsockConfig::parse("socket=/tmp/sock,cid=1,iommu=on")?,
+            VsockConfig::parse("socket=/tmp/sock,cid=3,iommu=on")?,
             VsockConfig {
-                cid: 1,
+                cid: 3,
                 socket: PathBuf::from("/tmp/sock"),
                 iommu: true,
                 id: None,
@@ -3386,9 +3397,11 @@ mod tests {
             ..Default::default()
         });
         still_valid_config.vsock = Some(VsockConfig {
+            cid: 3,
+            socket: PathBuf::new(),
+            id: None,
             iommu: true,
             pci_segment: 1,
-            ..Default::default()
         });
         assert!(still_valid_config.validate().is_ok());
 
@@ -3463,9 +3476,11 @@ mod tests {
             ..Default::default()
         });
         invalid_config.vsock = Some(VsockConfig {
+            cid: 3,
+            socket: PathBuf::new(),
+            id: None,
             iommu: false,
             pci_segment: 1,
-            ..Default::default()
         });
         assert_eq!(
             invalid_config.validate(),
diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs
index 23cd36d06..928c36f7b 100644
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@@ -2672,7 +2672,7 @@ mod unit_tests {
     #[test]
     fn test_vmm_vm_cold_add_vsock() {
         let mut vmm = create_dummy_vmm();
-        let vsock_config = VsockConfig::parse("socket=/tmp/sock,cid=1,iommu=on").unwrap();
+        let vsock_config = VsockConfig::parse("socket=/tmp/sock,cid=3,iommu=on").unwrap();
 
         assert!(matches!(
             vmm.vm_add_vsock(vsock_config.clone()),