CVE-2026-52940

NONE EPSS 5.0%
Published Jun 24, 20265d ago · Modified Jun 24, 20265d ago
Find Similar
Published Jun 24, 2026 5d ago
Last Modified Jun 24, 2026 5d ago

Description

In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tun_put_user() tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet. Fix it the same way tun_get_user() already does by zeroing the whole header right after declaration.

Threat Intelligence

EPSS Exploit Probability
5.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 3

  • git.kernel.org https://git.kernel.org/stable/c/585cb85e9a29185be05f326369573c2663cf4380
  • git.kernel.org https://git.kernel.org/stable/c/5fd1fa5a4254bfdd70571c77f5e3bcb4e43738d5
  • git.kernel.org https://git.kernel.org/stable/c/7f2fcff15e99bb852f6967396ed12b38376e2c8d

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.