{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46321", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.112Z", "datePublished": "2026-06-09T12:11:13.872Z", "dateUpdated": "2026-06-09T12:11:13.872Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-09T12:11:13.872Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/tun.c"], "versions": [{"version": "049584807f1d797fc3078b68035450a9769eb5c3", "lessThan": "69863ff2720a0e9871f1a5710f2a33a94217fee0", "status": "affected", "versionType": "git"}, {"version": "049584807f1d797fc3078b68035450a9769eb5c3", "lessThan": "37a1c268c2c8090bf4dc552d732bd23ba36f8eb0", "status": "affected", "versionType": "git"}, {"version": "049584807f1d797fc3078b68035450a9769eb5c3", "lessThan": "98c67be9eb9de72465a071949e84a3cdb8fab5a3", "status": "affected", "versionType": "git"}, {"version": "049584807f1d797fc3078b68035450a9769eb5c3", "lessThan": "f4feb1e20058e407cb00f45aff47f5b7e19a6bbf", "status": "affected", "versionType": "git"}, {"version": "32b0aaba5dbc85816898167d9b5d45a22eae82e9", "status": "affected", "versionType": "git"}, {"version": "6100e0237204890269e3f934acfc50d35fd6f319", "status": "affected", "versionType": "git"}, {"version": "589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2", "status": "affected", "versionType": "git"}, {"version": "ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146", "status": "affected", "versionType": "git"}, {"version": "d5ad89b7d01ed4e66fd04734fc63d6e78536692a", "status": "affected", "versionType": "git"}, {"version": "a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb", "status": "affected", "versionType": "git"}, {"version": "8418f55302fa1d2eeb73e16e345167e545c598a5", "status": "affected", "versionType": "git"}, {"version": "5.4.281", "lessThan": "5.5", "status": "affected", "versionType": "semver"}, {"version": "5.10.223", "lessThan": "5.11", "status": "affected", "versionType": "semver"}, {"version": "5.15.164", "lessThan": "5.16", "status": "affected", "versionType": "semver"}, {"version": "6.1.102", "lessThan": "6.2", "status": "affected", "versionType": "semver"}, {"version": "6.6.43", "lessThan": "6.7", "status": "affected", "versionType": "semver"}, {"version": "6.9.12", "lessThan": "6.10", "status": "affected", "versionType": "semver"}, {"version": "6.10.2", "lessThan": "6.11", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/tun.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.93", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.35", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.12", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.1-rc6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.281"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.223"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.164"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.102"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"}, {"url": "https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"}, {"url": "https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"}, {"url": "https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"}], "title": "tun: free page on short-frame rejection in tun_xdp_one()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."}], "id": "CVE-2026-46321", "lastModified": "2026-06-09T13:16:37.473", "metrics": {}, "published": "2026-06-09T13:16:37.473", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: tun: free page on short-frame rejection in tun_xdp_one()", "id": "2486977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486977"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-763", "details": ["A flaw was found in the Linux kernel. A local attacker with access to the tun/tap device can exploit this vulnerability. By sending network frames shorter than the expected header length, the system fails to free allocated memory pages, leading to memory leaks. This can exhaust system memory, resulting in a denial of service (DoS) and causing the system to crash."], "name": "CVE-2026-46321", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-46321\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46321\nhttps://lore.kernel.org/linux-cve-announce/2026060925-CVE-2026-46321-8e46@gregkh/T"], "threat_severity": "Moderate"}