CVE-2026-46321 (GCVE-0-2026-46321)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
tun: free page on short-frame rejection in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on short-frame rejection in tun_xdp_one()
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
049584807f1d797fc3078b68035450a9769eb5c3 , < 69863ff2720a0e9871f1a5710f2a33a94217fee0
(git)
Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 98c67be9eb9de72465a071949e84a3cdb8fab5a3 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < f4feb1e20058e407cb00f45aff47f5b7e19a6bbf (git) Affected: 32b0aaba5dbc85816898167d9b5d45a22eae82e9 (git) Affected: 6100e0237204890269e3f934acfc50d35fd6f319 (git) Affected: 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 (git) Affected: ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 (git) Affected: d5ad89b7d01ed4e66fd04734fc63d6e78536692a (git) Affected: a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb (git) Affected: 8418f55302fa1d2eeb73e16e345167e545c598a5 (git) Affected: 5.4.281 , < 5.5 (semver) Affected: 5.10.223 , < 5.11 (semver) Affected: 5.15.164 , < 5.16 (semver) Affected: 6.1.102 , < 6.2 (semver) Affected: 6.6.43 , < 6.7 (semver) Affected: 6.9.12 , < 6.10 (semver) Affected: 6.10.2 , < 6.11 (semver) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc6 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69863ff2720a0e9871f1a5710f2a33a94217fee0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "37a1c268c2c8090bf4dc552d732bd23ba36f8eb0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "98c67be9eb9de72465a071949e84a3cdb8fab5a3",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "f4feb1e20058e407cb00f45aff47f5b7e19a6bbf",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"status": "affected",
"version": "32b0aaba5dbc85816898167d9b5d45a22eae82e9",
"versionType": "git"
},
{
"status": "affected",
"version": "6100e0237204890269e3f934acfc50d35fd6f319",
"versionType": "git"
},
{
"status": "affected",
"version": "589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2",
"versionType": "git"
},
{
"status": "affected",
"version": "ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146",
"versionType": "git"
},
{
"status": "affected",
"version": "d5ad89b7d01ed4e66fd04734fc63d6e78536692a",
"versionType": "git"
},
{
"status": "affected",
"version": "a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb",
"versionType": "git"
},
{
"status": "affected",
"version": "8418f55302fa1d2eeb73e16e345167e545c598a5",
"versionType": "git"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.281",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.102",
"versionType": "semver"
},
{
"lessThan": "6.7",
"status": "affected",
"version": "6.6.43",
"versionType": "semver"
},
{
"lessThan": "6.10",
"status": "affected",
"version": "6.9.12",
"versionType": "semver"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:13.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"
},
{
"url": "https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"
},
{
"url": "https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"
},
{
"url": "https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"
}
],
"title": "tun: free page on short-frame rejection in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46321",
"datePublished": "2026-06-09T12:11:13.872Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:13.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46321",
"date": "2026-06-10",
"epss": "0.00018",
"percentile": "0.0478"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46321\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-09T13:16:37.473\",\"lastModified\":\"2026-06-09T13:16:37.473\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: free page on short-frame rejection in tun_xdp_one()\\n\\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\\nfreeing the page that vhost_net_build_xdp() allocated for it.\\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\\nvhost_tx_batch() takes the success path and never frees the page; each\\nshort frame in a batch leaks one page-frag chunk.\\n\\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\\nthis path: it attaches a tun/tap device as the vhost-net backend and\\nfeeds TX descriptors whose length minus the virtio-net header is below\\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\\ntight submission loop exhausts host memory and triggers an OOM panic.\\nFree the page before returning -EINVAL, matching the XDP-program error\\npath in the same function.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…