Description
In the Linux kernel, the following vulnerability has been resolved:

neigh: let neigh_xmit take skb ownership

neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).

sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't
xmit or free skb.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the neigh_xmit routine incorrectly manages socket buffer (skb) ownership when a neighbor table is absent. When neigh_xmit is called without an initialized neighbor table, it returns an error and skips the code that would normally free or transmit the skb. Because callers ignore the return value, the skb can remain allocated, creating a memory leak. These missing releases can lead to kernel memory exhaustion and, eventually, a denial‑of‑service. This issue exemplifies a CWE‑772 Resource Leak vulnerability.

Affected Systems

It affects any Linux kernel build that has not yet applied the ownership change to neigh_xmit. All distributions based on the kernel source prior to the patch, including recent stable releases, are at risk. The issue is unrelated to specific network drivers, so any system using the default network stack could be impacted.

Risk and Exploitability

The CVSS score is 7.5, reflecting high severity. The EPSS value of < 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. An attacker would need to trigger neigh_xmit with an uninitialized neighbor table, which could be achieved by crafting particular MPLS packets, disabling IPv6, or manipulating netlink interfaces. If successful, the silent skb leak could accumulate over time, depleting system memory and causing kernel panics or hangs.

Generated by OpenCVE AI on June 28, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the neigh_xmit ownership fix.
  • Disable or limit features that may invoke neigh_xmit with an uninitialized neighbor table, such as turning off IPv6 when not needed or restricting MPLS configuration.
  • Monitor kernel memory usage for abnormal increases in skb allocations and set alerts to trigger remediation if excessive memory consumption is detected.

Generated by OpenCVE AI on June 28, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Sat, 27 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.
Title neigh: let neigh_xmit take skb ownership
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:37:33.379Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52981

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52981 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime