CVE-2026-46321

HIGH EPSS 2.9%
Published Jun 9, 20263w ago · Modified Jun 19, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Jun 9, 2026 3w ago
Last Modified Jun 19, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.

CVSS Details

Base Score
7.1
Exploitability
2.5
Impact
4.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940
  • git.kernel.org https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d
  • git.kernel.org https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0
  • git.kernel.org https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057
  • git.kernel.org https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0
  • git.kernel.org https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3
  • git.kernel.org https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41
  • git.kernel.org https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.