Skip to main content

Linux Kernel CVE-2026-46320

| EUVDEUVD-2026-35410 HIGH
2026-06-09 Linux GHSA-xqcf-gwj9-5c88
High
Disputed · 7.4 Vendor: Linux
Share

Severity by source

Sources disagree (Low–High)
Vendor (Linux) PRIMARY
7.4 HIGH
AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Trigger requires local control of a vhost_net peer (guest VM or tap fd holder), so AV:L and PR:L; leaked host kernel memory crosses a trust boundary giving S:C and A:H, with no C/I impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:32 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.4 (HIGH)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 12:11 cve.org
HIGH 7.4
CVE Published
Jun 09, 2026 - 12:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

AnalysisAI

Denial-of-service via memory exhaustion in the Linux kernel's tap/vhost_net XDP path allows adjacent network attackers to leak kernel page-frag memory by sending malformed frames over a tap device. The bug in tap_get_user_xdp() fails to free pages allocated by vhost_net_build_xdp() on the error paths for undersized frames (<ETH_HLEN) and build_skb() allocation failures, with each rejected frame in a batch leaking one page-frag chunk. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.

Technical ContextAI

The vulnerability lives in drivers/net/tap.c within the XDP (eXpress Data Path) fast-path used by vhost_net to forward packets from userspace (typically QEMU/KVM guests) into the host's tap device. vhost_net_build_xdp() allocates a page-frag for each incoming buffer, and tap_get_user_xdp() is expected to consume or free that page. On two error paths - frame length shorter than ETH_HLEN (14 bytes) returning -EINVAL, and build_skb() returning -ENOMEM - the code jumped to the err label without releasing the page. Compounding this, tap_sendmsg() always returns 0 regardless of the per-buffer result, so vhost_tx_batch() treats the batch as successful and never reclaims the leaked pages. The root cause class is a missing-resource-release on error (CWE-401 memory leak), and the fix mirrors the analogous earlier correction in tun_xdp_one().

RemediationAI

Vendor-released patch: Linux stable 7.0.12 and 7.1-rc6 contain the fix; upgrade affected kernels by applying the commits 18a84c3 and 3bcf7ae from https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d and https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2, or roll forward to a distribution kernel that has backported these stable patches. Where immediate kernel updates are not feasible on virtualization hosts, compensating controls include disabling the XDP fast-path on tap interfaces used by vhost_net (which removes the affected code path but reduces guest network throughput), restricting which users can open /dev/vhost-net and /dev/net/tun (limits attackers to those who already have permitted guest access), and monitoring host slab/page-frag consumption per-VM via /proc/meminfo and cgroup memory accounting to detect leak-driven growth so operators can restart the offending qemu process before OOM. Avoid exposing tap fds to untrusted local users.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy