CVE-2026-46320

HIGH EPSS 14.4%
Published Jun 9, 20263w ago · Modified Jun 19, 20262w ago
7.4 CVSS 3.1
High
Find Similar
Published Jun 9, 2026 3w ago
Last Modified Jun 19, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

CVSS Details

Base Score
7.4
Exploitability
2.8
Impact
4.0
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 8

  • git.kernel.org https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d
  • git.kernel.org https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2
  • git.kernel.org https://git.kernel.org/stable/c/3f52a86a482a69294c50a5a2a097bd6f4104990a
  • git.kernel.org https://git.kernel.org/stable/c/8d03e65eb6cfbffec471a6b65416f93679bf3286
  • git.kernel.org https://git.kernel.org/stable/c/d30aac0fa00ca0afc3e08174cf7f974a66bdcf05
  • git.kernel.org https://git.kernel.org/stable/c/d68eab61944a9b0826fa2e954e42db1aa3201b7a
  • git.kernel.org https://git.kernel.org/stable/c/e27c17346628cb56843a83f93ac63c314c00f388
  • git.kernel.org https://git.kernel.org/stable/c/f979971835dddbca86cf99e3b2e2b94a408a1ab2

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.