tun: free page on short-frame rejection in tun_xdp_one()_CVE-2026-46321

7.1 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on short-frame rejection in tun_xdp_one()

tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.

A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.

Basic Information

ID CVE-2026-46321

Source Linux

Published Jun 9, 2026 at 12:11

Modified Jun 14, 2026 at 04:30

Affected Product

Vendor Linux

Product Linux

Version 049584807f1d797fc3078b68035450a9769eb5c3

Affected Versions Linux Linux 049584807f1d797fc3078b68035450a9769eb5c3
Linux Linux 049584807f1d797fc3078b68035450a9769eb5c3
Linux Linux 049584807f1d797fc3078b68035450a9769eb5c3
Linux Linux 049584807f1d797fc3078b68035450a9769eb5c3
Linux Linux 32b0aaba5dbc85816898167d9b5d45a22eae82e9
Linux Linux 6100e0237204890269e3f934acfc50d35fd6f319
Linux Linux 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
Linux Linux ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
Linux Linux d5ad89b7d01ed4e66fd04734fc63d6e78536692a
Linux Linux a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
Linux Linux 8418f55302fa1d2eeb73e16e345167e545c598a5
Linux Linux 5.4.281
Linux Linux 5.10.223
Linux Linux 5.15.164
Linux Linux 6.1.102
Linux Linux 6.6.43
Linux Linux 6.9.12
Linux Linux 6.10.2
Linux Linux 6.11

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function.",
    "published": "2026-06-09T12:11:13.872Z",
    "modified": "2026-06-14T04:30:16.094Z",
    "type": "cve",
    "title": "tun: free page on short-frame rejection in tun_xdp_one()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0\nhttps://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0\nhttps://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3\nhttps://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf",
    "id": "CVE-2026-46321",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 049584807f1d797fc3078b68035450a9769eb5c3\nLinux Linux 049584807f1d797fc3078b68035450a9769eb5c3\nLinux Linux 049584807f1d797fc3078b68035450a9769eb5c3\nLinux Linux 049584807f1d797fc3078b68035450a9769eb5c3\nLinux Linux 32b0aaba5dbc85816898167d9b5d45a22eae82e9\nLinux Linux 6100e0237204890269e3f934acfc50d35fd6f319\nLinux Linux 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2\nLinux Linux ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146\nLinux Linux d5ad89b7d01ed4e66fd04734fc63d6e78536692a\nLinux Linux a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb\nLinux Linux 8418f55302fa1d2eeb73e16e345167e545c598a5\nLinux Linux 5.4.281\nLinux Linux 5.10.223\nLinux Linux 5.15.164\nLinux Linux 6.1.102\nLinux Linux 6.6.43\nLinux Linux 6.9.12\nLinux Linux 6.10.2\nLinux Linux 6.11",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "049584807f1d797fc3078b68035450a9769eb5c3",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply