Home

Description

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-09 | Updated 2026-06-09 | Assigner Linux

Product status

Default status
unaffected

049584807f1d797fc3078b68035450a9769eb5c3 (git) before 69863ff2720a0e9871f1a5710f2a33a94217fee0
affected

049584807f1d797fc3078b68035450a9769eb5c3 (git) before 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0
affected

049584807f1d797fc3078b68035450a9769eb5c3 (git) before 98c67be9eb9de72465a071949e84a3cdb8fab5a3
affected

049584807f1d797fc3078b68035450a9769eb5c3 (git) before f4feb1e20058e407cb00f45aff47f5b7e19a6bbf
affected

32b0aaba5dbc85816898167d9b5d45a22eae82e9 (git)
affected

6100e0237204890269e3f934acfc50d35fd6f319 (git)
affected

589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 (git)
affected

ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 (git)
affected

d5ad89b7d01ed4e66fd04734fc63d6e78536692a (git)
affected

a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb (git)
affected

8418f55302fa1d2eeb73e16e345167e545c598a5 (git)
affected

5.4.281 (semver) before 5.5
affected

5.10.223 (semver) before 5.11
affected

5.15.164 (semver) before 5.16
affected

6.1.102 (semver) before 6.2
affected

6.6.43 (semver) before 6.7
affected

6.9.12 (semver) before 6.10
affected

6.10.2 (semver) before 6.11
affected

Default status
affected

6.11
affected

Any version before 6.11
unaffected

6.12.93 (semver)
unaffected

6.18.35 (semver)
unaffected

7.0.12 (semver)
unaffected

7.1-rc6 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/69863ff2720a0e9871f1a5710f2a33a94217fee0

git.kernel.org/...c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0

git.kernel.org/...c/98c67be9eb9de72465a071949e84a3cdb8fab5a3

git.kernel.org/...c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf

cve.org (CVE-2026-46321)

nvd.nist.gov (CVE-2026-46321)

Download JSON