CVE-2026-46322 – tun: free page on build_skb failure in tun_xdp_one()

CVE ID :CVE-2026-46322

Published : June 9, 2026, 12:11 p.m. | 24 minutes ago

Description :In the Linux kernel, the following vulnerability has been resolved:

tun: free page on build_skb failure in tun_xdp_one()

When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.

Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-46324 – netfilter: nf_tables: use list_del_rcu for netlink hooks

CVE-2026-46323 – net: gro: don’t merge zcopy skbs

CVE-2026-46321 – tun: free page on short-frame rejection in tun_xdp_one()

CVE-2026-46320 – tap: free page on error paths in tap_get_user_xdp()