Description
In the Linux kernel, the following vulnerability has been resolved:

neigh: let neigh_xmit take skb ownership

neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).

sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't
xmit or free skb.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises when the neigh_xmit function is invoked with an uninitialized neighbor table, causing it to return an error and skip its normal skb free routine. As a result, the socket buffer (skb) remains allocated and is not released or queued, leading to a memory leak. This bug exemplifies improper resource deallocation and can undermine system stability by consuming memory over time.

Affected Systems

All Linux kernel versions that include the vulnerable neigh_xmit implementation without the ownership changes described in the fix. No specific version numbers are listed in the available data, so the entire vulnerable kernel code base is impacted.

Risk and Exploitability

Exact exploitation details are not documented in the advisory, and key metrics such as CVSS and EPSS are not available. The bug appears to be exploitable only in contexts where a local system can trigger neigh_xmit calls with an uninitialized neighbor table—typically environments that manipulate neighbor entries or use MPLS. This might enable a local privileged user to indirectly cause resource exhaustion or a kernel crash, though no known wide‑scale remote exploitation has been reported and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 24, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the neigh_xmit ownership fix
  • Ensure that the system does not use or enable neighbor tables that are left uninitialized, such as disabling IPv6 when it is not required
  • Monitor kernel memory usage for unusual sk_buff allocations to detect potential leaks during transition periods

Generated by OpenCVE AI on June 24, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.
Title neigh: let neigh_xmit take skb ownership
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:57.074Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52981

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime