CVE-2026-52940
Received Received - Intake
Kernel Memory Leak in Linux Kernel tun Module

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tun_put_user() tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet. Fix it the same way tun_get_user() already does by zeroing the whole header right after declaration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52940
EUVD
EUVD-2026-38710
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tun driver, specifically in the function tun_put_user(). The function declares a struct virtio_net_hdr_v1_hash_tunnel on the stack but does not zero out the entire structure. For non-tunnel packets, only the first 10 bytes of this structure are initialized, leaving the remaining bytes as uninitialized stack memory.

An unprivileged user can exploit this by setting the virtual network header size to 24 bytes using the TUNSETVNETHDRSZ ioctl. When the kernel copies this partially initialized structure to userspace, it leaks 14 bytes of kernel stack memory on every read of a non-tunnel packet. This leakage occurs because __tun_vnet_hdr_put() copies all 24 bytes, including the uninitialized parts.

The vulnerability was fixed by zeroing the entire vnet header structure immediately after its declaration, preventing any uninitialized kernel stack data from being leaked.

Impact Analysis

This vulnerability can lead to information disclosure by leaking kernel stack memory to unprivileged users. The leaked data may contain sensitive information from the kernel's memory space, which could be used to aid further attacks such as privilege escalation or bypassing security mechanisms.

Since the leak occurs on every read of a non-tunnel packet when the vnet header size is set to 24, an attacker can repeatedly exploit this to gather significant amounts of kernel memory data.

Mitigation Strategies

The vulnerability is fixed by zeroing the whole vnet header in the tun_put_user() function, similar to the existing fix in tun_get_user().

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

This prevents unprivileged users from leaking kernel stack data via the TUNSETVNETHDRSZ ioctl.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart