7.1

CVE-2026-46321

tun: free page on short-frame rejection in tun_xdp_one()

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on short-frame rejection in tun_xdp_one()

tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.

A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.4.281 < 5.5
LinuxLinux Kernel Version >= 5.10.223 < 5.10.259
LinuxLinux Kernel Version >= 5.15.164 < 5.15.210
LinuxLinux Kernel Version >= 6.1.102 < 6.1.176
LinuxLinux Kernel Version >= 6.6.43 < 6.6.143
LinuxLinux Kernel Version >= 6.9.12 < 6.10
LinuxLinux Kernel Version >= 6.10.2 < 6.12.93
LinuxLinux Kernel Version >= 6.13 < 6.18.35
LinuxLinux Kernel Version >= 6.19 < 7.0.12
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.028
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.1 2.5 4
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0
Patch
https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0
Patch
https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3
Patch
https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf
Patch
https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940
Patch
https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d
Patch
https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057
Patch
https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41
Patch