CVE-2026-46321
Received Received - Intake
Memory Leak in Linux Kernel tun/tap Driver

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-46321
EUVD
EUVD-2026-35411
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tun driver, specifically in the function tun_xdp_one(). When a frame shorter than the Ethernet header length (ETH_HLEN) is processed, tun_xdp_one() returns an error (-EINVAL) but fails to free the memory page allocated for that frame. Because tun_sendmsg() ignores this error and returns the total length as if successful, the higher-level function vhost_tx_batch() assumes success and does not free the allocated page. This results in a memory leak of page-frag chunks for each short frame processed.

A local process with access to /dev/net/tun and /dev/vhost-net can exploit this by attaching a tun/tap device as the vhost-net backend and sending TX descriptors with lengths shorter than ETH_HLEN. Repeatedly doing this in a tight loop causes continuous memory leaks, eventually exhausting host memory and causing an out-of-memory (OOM) panic.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition on the affected system. By exploiting the memory leak, an attacker with local access can cause the system to run out of memory, triggering an out-of-memory (OOM) panic. This can disrupt normal operations, potentially causing system crashes or instability.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the issue in tun_xdp_one() has been fixed. The fix involves freeing the page before returning -EINVAL on short frames, preventing memory leaks.

Additionally, restrict local processes from opening /dev/net/tun and /dev/vhost-net unless necessary, as exploitation requires access to these devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart