Description
In the Linux kernel, the following vulnerability has been resolved:

8021q: delete cleared egress QoS mappings

vlan_dev_set_egress_priority() currently keeps cleared egress
priority mappings in the hash as tombstones. Repeated set/clear cycles
with distinct skb priorities therefore accumulate mapping nodes until
device teardown and leak memory.

Delete mappings when vlan_prio is cleared instead of keeping tombstones.
Now that the egress mapping lists are RCU protected, the node can be
unlinked safely and freed after a grace period.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s VLAN QoS driver contains a flaw where vlan_dev_set_egress_priority retains cleared egress priority entries as tombstone nodes in a hash table. Repeated cycles of setting and clearing distinct packet priorities lead to an unbounded accumulation of these tombstones, gradually exhausting available memory. When the system memory is depleted, the kernel is forced to crash or reboot, resulting in a denial‑of‑service condition for all services running on the host. Based on the description, it is inferred that an attacker must be able to modify VLAN egress QoS settings—a task that typically requires local or elevated privileges on the system.

Affected Systems

All Linux kernel versions before the commit that removes the tombstone handling (commit 7dddc74) are affected. This includes mainstream releases such as the 2.6.12 series and any derivative kernels that ship the 8021q driver without the cleanup logic. Systems running these kernels and exposing the VLAN QoS interface are vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of <1% reflects a low likelihood of exploitation. The vulnerability is not listed in CISA KEV. Exploitation requires local or privileged access to configure VLAN egress QoS; an attacker who can perform such configuration changes can repeatedly trigger the memory leak, leading to gradual exhaustion of kernel memory. Because the flaw is local and does not rely on external network exposure, it cannot be remotely leveraged without first obtaining privileged access.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that includes commit 7dddc74, which removes the tombstone handling from vlan_dev_set_egress_priority
  • If a kernel upgrade is not feasible, restrict or audit the ability to change egress QoS priority mappings on VLAN devices, limiting such changes to trusted administrators and disabling the configuration API where possible
  • Implement memory‑usage monitoring on hosts that run affected kernels, setting alerts for abnormal growth in VLAN‑related memory allocations to detect and mitigate the leak before it causes a reboot

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: 8021q: delete cleared egress QoS mappings vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory. Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.
Title 8021q: delete cleared egress QoS mappings
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:29.635Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46153

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:30.947

Modified: 2026-06-09T21:01:01.020

Link: CVE-2026-46153

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46153 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses