CVE-2026-46321 - Vulnerability Details

- tun: free page on short-frame rejection in tun_xdp_one()

Description

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on short-frame rejection in tun_xdp_one()

tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.

A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.

Published: 2026-06-09

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, tun_xdp_one() fails to free a page allocated for frames shorter than ETH_HLEN, resulting in a memory leak. The leaked page fragments accumulate with each short frame processed, eventually exhausting memory and triggering an OOM panic. This flaw is a classic memory leak (CWE-763) that undermines system stability.

Affected Systems

The vulnerability affects all Linux kernel versions prior to the patch that introduced proper page cleanup in tun_xdp_one(). It can be exercised by any local process that can open /dev/net/tun and /dev/vhost-net, attach a tun/tap device as the vhost-net backend, and send TX descriptors containing frames whose length minus the virtio-net header is below ETH_HLEN.

Risk and Exploitability

The exploit path is local: a user crafts a tight loop of short frames on a tun/tap interface connected to vhost-net, which repeatedly triggers the memory leak until the host runs out of memory and crashes. EPSS is not available, so the likelihood of exploitation is uncertain, but the impact is severe local denial of service. The vulnerability is not listed in the CISA KEV catalog, yet the absence of EPSS does not mitigate the risk of an OOM‑based DoS driven by ordinary user activity. The CVSS score is 5.5, indicating moderate severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`049584807f1d797fc3078b68035450a9769eb5c3`	affected	< 69863ff2720a0e9871f1a5710f2a33a94217fee0
`049584807f1d797fc3078b68035450a9769eb5c3`	affected	< 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0
`049584807f1d797fc3078b68035450a9769eb5c3`	affected	< 98c67be9eb9de72465a071949e84a3cdb8fab5a3
`049584807f1d797fc3078b68035450a9769eb5c3`	affected	< f4feb1e20058e407cb00f45aff47f5b7e19a6bbf
`32b0aaba5dbc85816898167d9b5d45a22eae82e9`	affected	—
`6100e0237204890269e3f934acfc50d35fd6f319`	affected	—
`589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2`	affected	—
`ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146`	affected	—
`d5ad89b7d01ed4e66fd04734fc63d6e78536692a`	affected	—
`a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb`	affected	—
`8418f55302fa1d2eeb73e16e345167e545c598a5`	affected	—
`5.4.281`	affected	< 5.5
`5.10.223`	affected	< 5.11
`5.15.164`	affected	< 5.16
`6.1.102`	affected	< 6.2
`6.6.43`	affected	< 6.7
`6.9.12`	affected	< 6.10
`6.10.2`	affected	< 6.11

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.12.93`	unaffected	≤ 6.12.*
`6.18.35`	unaffected	≤ 6.18.*
`7.0.12`	unaffected	≤ 7.0.*
`7.1-rc6`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[049584807f1d797fc3078b68035450a9769eb5c3,69863ff2720a0e9871f1a5710f2a33a94217fee0]`	affected	code_commit	—
`[049584807f1d797fc3078b68035450a9769eb5c3,37a1c268c2c8090bf4dc552d732bd23ba36f8eb0]`	affected	code_commit	—
`[049584807f1d797fc3078b68035450a9769eb5c3,98c67be9eb9de72465a071949e84a3cdb8fab5a3]`	affected	code_commit	—
`[049584807f1d797fc3078b68035450a9769eb5c3,f4feb1e20058e407cb00f45aff47f5b7e19a6bbf]`	affected	code_commit	—
`32b0aaba5dbc85816898167d9b5d45a22eae82e9`	affected	code_commit	—
`6100e0237204890269e3f934acfc50d35fd6f319`	affected	code_commit	—
`589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2`	affected	code_commit	—
`ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146`	affected	code_commit	—
`d5ad89b7d01ed4e66fd04734fc63d6e78536692a`	affected	code_commit	—
`a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb`	affected	code_commit	—
`8418f55302fa1d2eeb73e16e345167e545c598a5`	affected	code_commit	—
`[5.4.281,5.5)`	affected	semver	—
`[5.10.223,5.11)`	affected	semver	—
`[5.15.164,5.16)`	affected	semver	—
`[6.1.102,6.2)`	affected	semver	—
`[6.6.43,6.7)`	affected	semver	—
`[6.9.12,6.10)`	affected	semver	—
`[6.10.2,6.11)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	generic	—
`[0,6.11)`	unaffected	generic	—
`[6.12.93,6.13.0)`	unaffected	semver	—
`[6.18.35,6.19.0)`	unaffected	semver	—
`[7.0.12,7.1.0)`	unaffected	semver	—
`[7.1-rc6,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the fix for tun_xdp_one()
Restrict access to /dev/net/tun and /dev/vhost-net to trusted users or groups
Configure monitoring and alerts for OOM events to detect potential memory exhaustion

Generated by OpenCVE AI on June 10, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0
https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0
https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3
https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf
https://lore.kernel.org/linux-cve-announce/2026060925-CVE-2026-46321-8e46@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46321
https://www.cve.org/CVERecord?id=CVE-2026-46321

History

Wed, 10 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026060925-CVE-2026-46321-8e46@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46321 https://www.cve.org/CVERecord?id=CVE-2026-46321
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Tue, 09 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.
Title		tun: free page on short-frame rejection in tun_xdp_one()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0 https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3 https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-09T12:11:13.872Z

Updated: 2026-06-09T12:11:13.872Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46321

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T13:16:37.473

Modified: 2026-06-09T13:16:37.473

Link: CVE-2026-46321

Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46321 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses

CWE-763

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object