CVE-2026-46322

HIGH EPSS 2.9%
Published Jun 9, 20263w ago · Modified Jun 19, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Jun 9, 2026 3w ago
Last Modified Jun 19, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tun: free page on build_skb failure in tun_xdp_one() When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk. Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.

CVSS Details

Base Score
7.1
Exploitability
2.5
Impact
4.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 8

  • git.kernel.org https://git.kernel.org/stable/c/2638a9c1521905bb5c5d1e95c8fbc09f79148ed7
  • git.kernel.org https://git.kernel.org/stable/c/26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9
  • git.kernel.org https://git.kernel.org/stable/c/4fefc6156a162a9f50035c12091a5e5130c82c6e
  • git.kernel.org https://git.kernel.org/stable/c/60d9c0d6cdde5420d6483c921b16fe5465eb5238
  • git.kernel.org https://git.kernel.org/stable/c/793385c154771603b8671dd8338927221e9d8d78
  • git.kernel.org https://git.kernel.org/stable/c/aa308e9dbb9acb17cacdbbce9e4504f69bac8385
  • git.kernel.org https://git.kernel.org/stable/c/aa8963fdce667a42fb7f0bdd2909fadcab02f9a8
  • git.kernel.org https://git.kernel.org/stable/c/d16e38fac09a47bfcf98c1ad65a1bb53f94540f5

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.