tun: free page on short-frame rejection in tun_xdp_one()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46321
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-09 13:16:37 UTC
Updated2026-06-14 06:16:24 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS: 0.000120000 probability, percentile 0.017050000 (date 2026-06-14)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
3.1CNADECLARED7.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 049584807f1d797fc3078b68035450a9769eb5c3 69863ff2720a0e9871f1a5710f2a33a94217fee0 git Not specified
CNA Linux Linux affected 049584807f1d797fc3078b68035450a9769eb5c3 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 git Not specified
CNA Linux Linux affected 049584807f1d797fc3078b68035450a9769eb5c3 98c67be9eb9de72465a071949e84a3cdb8fab5a3 git Not specified
CNA Linux Linux affected 049584807f1d797fc3078b68035450a9769eb5c3 f4feb1e20058e407cb00f45aff47f5b7e19a6bbf git Not specified
CNA Linux Linux affected 32b0aaba5dbc85816898167d9b5d45a22eae82e9 git Not specified
CNA Linux Linux affected 6100e0237204890269e3f934acfc50d35fd6f319 git Not specified
CNA Linux Linux affected 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 git Not specified
CNA Linux Linux affected ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 git Not specified
CNA Linux Linux affected d5ad89b7d01ed4e66fd04734fc63d6e78536692a git Not specified
CNA Linux Linux affected a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb git Not specified
CNA Linux Linux affected 8418f55302fa1d2eeb73e16e345167e545c598a5 git Not specified
CNA Linux Linux affected 5.4.281 5.5 semver Not specified
CNA Linux Linux affected 5.10.223 5.11 semver Not specified
CNA Linux Linux affected 5.15.164 5.16 semver Not specified
CNA Linux Linux affected 6.1.102 6.2 semver Not specified
CNA Linux Linux affected 6.6.43 6.7 semver Not specified
CNA Linux Linux affected 6.9.12 6.10 semver Not specified
CNA Linux Linux affected 6.10.2 6.11 semver Not specified
CNA Linux Linux affected 6.11 Not specified
CNA Linux Linux unaffected 6.11 semver Not specified
CNA Linux Linux unaffected 6.12.93 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.35 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.12 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc6 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report