{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: free page on short-frame rejection in tun_xdp_one()\\n\\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\\nfreeing the page that vhost_net_build_xdp() allocated for it.\\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\\nvhost_tx_batch() takes the success path and never frees the page; each\\nshort frame in a batch leaks one page-frag chunk.\\n\\nA local process that can open \/dev\/net\/tun and \/dev\/vhost-net can hit\\nthis path: it attaches a tun\/tap device as the vhost-net backend and\\nfeeds TX descriptors whose length minus the virtio-net header is below\\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\\ntight submission loop exhausts host memory and triggers an OOM panic.\\nFree the page before returning -EINVAL, matching the XDP-program error\\npath in the same function.”,”published”:”2026-06-09T12:11:13.872Z”,”modified”:”2026-06-14T04:30:16.094Z”,”type”:”cve”,”title”:”tun: free page on short-frame rejection in tun_xdp_one()”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/69863ff2720a0e9871f1a5710f2a33a94217fee0\\nhttps:\/\/git.kernel.org\/stable\/c\/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0\\nhttps:\/\/git.kernel.org\/stable\/c\/98c67be9eb9de72465a071949e84a3cdb8fab5a3\\nhttps:\/\/git.kernel.org\/stable\/c\/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf”,”id”:”CVE-2026-46321″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 049584807f1d797fc3078b68035450a9769eb5c3\\nLinux Linux 049584807f1d797fc3078b68035450a9769eb5c3\\nLinux Linux 049584807f1d797fc3078b68035450a9769eb5c3\\nLinux Linux 049584807f1d797fc3078b68035450a9769eb5c3\\nLinux Linux 32b0aaba5dbc85816898167d9b5d45a22eae82e9\\nLinux Linux 6100e0237204890269e3f934acfc50d35fd6f319\\nLinux Linux 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2\\nLinux Linux ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146\\nLinux Linux d5ad89b7d01ed4e66fd04734fc63d6e78536692a\\nLinux Linux a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb\\nLinux Linux 8418f55302fa1d2eeb73e16e345167e545c598a5\\nLinux Linux 5.4.281\\nLinux Linux 5.10.223\\nLinux Linux 5.15.164\\nLinux Linux 6.1.102\\nLinux Linux 6.6.43\\nLinux Linux 6.9.12\\nLinux Linux 6.10.2\\nLinux Linux 6.11″,”sourceHref”:””,”cvss”:{“score”:7.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:C\/C:N\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”049584807f1d797fc3078b68035450a9769eb5c3″,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: free page on short-frame rejection in tun_xdp_one()\\n\\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,50,12,15,13,7,11,5],"class_list":["post-62552","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-71","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n