CVE-2026-46320
Received Received - Intake
Tap XDP Frame Leak in Linux Kernel

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-46320
EUVD
EUVD-2026-35410
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tap network interface code. Specifically, in the function tap_get_user_xdp(), when certain error conditions occurβ€”such as receiving a frame shorter than the Ethernet header length or a failure in building a socket buffer (skb)β€”the allocated memory page for the frame is not freed properly. This happens because both error paths jump to an error label without releasing the allocated page. Additionally, tap_sendmsg() ignores the per-buffer return value and always returns success, causing the caller to believe the operation succeeded and never freeing the leaked memory. As a result, each rejected frame in a batch leaks one page-frag chunk of memory.

Impact Analysis

The vulnerability causes a memory leak in the Linux kernel's tap network interface. Over time, repeated triggering of this issue can lead to increased memory consumption, potentially exhausting system memory resources. This can degrade system performance, cause instability, or even lead to denial of service conditions if the system runs out of memory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart