CVE-2026-46320 – tap: free page on error paths in tap_get_user_xdp()

CVE ID :CVE-2026-46320

Published : June 9, 2026, 12:11 p.m. | 24 minutes ago

Description :In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-46324 – netfilter: nf_tables: use list_del_rcu for netlink hooks

CVE-2026-46323 – net: gro: don’t merge zcopy skbs

CVE-2026-46322 – tun: free page on build_skb failure in tun_xdp_one()

CVE-2026-46321 – tun: free page on short-frame rejection in tun_xdp_one()