CVE-2026-46322
Received Received - Intake
Memory Leak in Linux Kernel tun_xdp_one

Publication date: 2026-06-09

Last updated on: 2026-06-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tun: free page on build_skb failure in tun_xdp_one() When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk. Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-14
Generated
2026-06-17
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46322
EUVD
EUVD-2026-35412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tun driver, specifically in the function tun_xdp_one(). When the function build_skb() fails, the error handling path does not free a memory page that was allocated earlier for the network frame. As a result, each failure causes a memory leak of one page-frag chunk because the allocated page is never released.

The issue arises because the function returns an error without freeing the allocated page, while the caller mistakenly treats the operation as successful and does not free the page either. The fix involves freeing the page before returning the error, ensuring proper memory management.

Impact Analysis

This vulnerability can lead to a memory leak in the Linux kernel's networking subsystem. Specifically, each failure of build_skb() in tun_xdp_one() causes a page of memory to be leaked and not freed.

Over time, this memory leak could degrade system performance, cause resource exhaustion, and potentially lead to system instability or crashes if the leaked memory accumulates significantly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart