Description
In the Linux kernel, the following vulnerability has been resolved:

tun: zero the whole vnet header in tun_put_user()

tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel
without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb()
only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)),
leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack
garbage.

An unprivileged user can set the vnet header size to 24 with
TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the
partially-initialized struct to userspace, leaking 14 bytes of kernel
stack on every read of a non-tunnel packet.

Fix it the same way tun_get_user() already does by zeroing the whole
header right after declaration.
Published: 2026-06-24
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the tun driver of the Linux kernel. When a non‑tunnel socket buffer is read through a TUN interface, tun_put_user() allocates a stack‑based struct for the vnet header but only zeroes the first 10 bytes. An unprivileged local user can set a header size of 24 bytes with the TUNSETVNETHDRSZ ioctl, causing the partially initialized structure to be copied into user space. Each read of a non‑tunnel packet leaks 14 bytes of kernel stack data, resulting in kernel‑level information disclosure that an attacker can repeatedly obtain.

Affected Systems

Any Linux system running a kernel version that predates the patch in commit 585cb85e9a29185be05f326369573c2663cf4380 include the fix and are not susceptible. System administrators should verify whether their running kernel was built prior to this commit.

Risk and Exploitability

The flaw can beprivileged access; no remote attack vector or elevated privileges are required. The CVSS score of 7.0 indicates moderate risk, while the EPSS score of less than 1% reflects a low but nonzero probability of exploitation. Although the vulnerability is not listed in the CISA KEV catalog, the disclosed kernel information may aid attackers in building more advanced exploits. The impact is therefore significant if the affected system the of exploitation is relatively low.

Generated by OpenCVE AI on June 25, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that zeroes the vnet header in tun_put_user
  • Upgrade the Linux kernel to a version that includes the patch
  • Disable or remove the tun interface if it is not required for your use case

Generated by OpenCVE AI on June 25, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tun_put_user() tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet. Fix it the same way tun_get_user() already does by zeroing the whole header right after declaration.
Title tun: zero the whole vnet header in tun_put_user()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:29.281Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52940

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52940 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses
  • CWE-909

    Missing Initialization of Resource