Voozh

Vulnerabilities

CVE-2026-46321 Detail

Received

This CVE record has recently been published to the CVE List and has been included within the NVD dataset.

Description

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

👁 NIST CVSS score

NIST: NVD

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940	kernel.org
https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d	kernel.org
https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0	kernel.org
https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057	kernel.org
https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0	kernel.org
https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3	kernel.org
https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41	kernel.org
https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf	kernel.org

Weakness Enumeration

CWE-ID	CWE Name	Source

Change History

4 change records found show changes

CVE Modified by kernel.org 6/19/2026 9:16:36 AM

Action	Type	Old Value	New Value
Added	Reference	https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940
Added	Reference	https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d
Added	Reference	https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057
Added	Reference	https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41
Changed	Affected	Record truncated, showing 2048 of 2717 characters. View Entire Change Record [{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/tun.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"69863ff2720a0e9871f1a5710f2a33a94217fee0","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"37a1c268c2c8090bf4dc552d732bd23ba36f8eb0","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"98c67be9eb9de72465a071949e84a3cdb8fab5a3","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"f4feb1e20058e407cb00f45aff47f5b7e19a6bbf","versionType":"git","status":"affected"},{"version":"32b0aaba5dbc85816898167d9b5d45a22eae82e9","versionType":"git","status":"affected"},{"version":"6100e0237204890269e3f934acfc50d35fd6f319","versionType":"git","status":"affected"},{"version":"589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2","versionType":"git","status":"affected"},{"version":"ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146","versionType":"git","status":"affected"},{"version":"d5ad89b7d01ed4e66fd04734fc63d6e78536692a","versionType":"git","status":"affected"},{"version":"a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb","versionType":"git","status":"affected"},{"version":"8418f55302fa1d2eeb73e16e345167e545c598a5","versionType":"git","status":"affected"},{"version":"5.4.281","lessThan":"5.5","versionType":"semver","status":"affected"},{"version":"5.10.223","lessThan":"5.11","versionType":"semver","status":"affected"},{"version":"5.15.164","lessThan":"5.16","versionType":"semver","status":"affected"},{"version":"6.1.102","lessThan":"6.2","versionType":"semver","status":"affected"},{"version":"6.6.43","lessThan":"6.7","versionType":"semver","status":"affected"},{"version":"6.9.12","lessThan":"6.10","versionType":"semver","status":"affected"},{"version":"6.10.2","lessThan":"6.11","versionType":"semver","status":"affected"}]},{"vendor":"Linux","	Record truncated, showing 2048 of 3325 characters. View Entire Change Record [{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/tun.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6100e0237204890269e3f934acfc50d35fd6f319","lessThan":"0a6f46a9332ad6958992d64d3b3a81a80b2ca940","versionType":"git","status":"affected"},{"version":"589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2","lessThan":"0e8211fcf9426f5adddf32516ba0f400ceb9544d","versionType":"git","status":"affected"},{"version":"ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146","lessThan":"e915445942af6dcea628bf66d6241641201a0c41","versionType":"git","status":"affected"},{"version":"d5ad89b7d01ed4e66fd04734fc63d6e78536692a","lessThan":"5b34f9e4fe2f203724a6e893d6df0316b9670057","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"69863ff2720a0e9871f1a5710f2a33a94217fee0","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"37a1c268c2c8090bf4dc552d732bd23ba36f8eb0","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"98c67be9eb9de72465a071949e84a3cdb8fab5a3","versionType":"git","status":"affected"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"f4feb1e20058e407cb00f45aff47f5b7e19a6bbf","versionType":"git","status":"affected"},{"version":"32b0aaba5dbc85816898167d9b5d45a22eae82e9","versionType":"git","status":"affected"},{"version":"a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb","versionType":"git","status":"affected"},{"version":"8418f55302fa1d2eeb73e16e345167e545c598a5","versionType":"git","status":"affected"},{"version":"5.10.223","lessThan":"5.10.259","versionType":"semver","status":"affected"},{"version":"5.15.164","lessThan":"5.15.210","versionType":"semver","status":"affected"},{"version":"6.1.102","lessThan":"6.1.176","versionType":"semver","status":"affected"},{"version":"6.6.43","lessThan":"6.6.143","versionType":"semver","status":"affected"},{"version":"5.4.281","lessThan":"5.

Quick Info

CVE Dictionary Entry:
CVE-2026-46321
NVD Published Date:
06/09/2026
NVD Last Modified:
06/19/2026
Source:
kernel.org

URL: https://nvd.nist.gov/vuln/detail/CVE-2026-46321

⇱ NVD - CVE-2026-46321