Skip to main content

Linux Kernel CVE-2026-52981

| EUVDEUVD-2026-38849 HIGH
Memory Leak (CWE-401)
2026-06-24 Linux GHSA-36qf-2q77-7jh9
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.7 LOW

Network-reachable but depends on non-default MPLS-plus-IPv6-disabled config so AC:H; only a gradual per-packet skb leak yields availability impact, hence A:L and C/I:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:40 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

neigh: let neigh_xmit take skb ownership

neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx).

sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't xmit or free skb.

AnalysisAI

Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send packets to MPLS-forwarding host (IPv6 disabled)
Delivery
Routing invokes neigh_xmit on uninitialized ND table
Exploit
neigh_xmit returns -EAFNOSUPPORT, skb not freed
Execution
Sustain traffic to accumulate leaked SKBs
Impact
Kernel memory exhausted, denial of service

Vulnerability AssessmentAI

Exploitation Triggering requires the system to reach neigh_xmit() with an uninitialized neighbour table - concretely, MPLS forwarding (or another neigh_xmit user/lwtunnel encapsulation) must be active AND the targeted address family's neigh table must be uninitialized, the documented example being NEIGH_ND_TABLE when IPv6 is disabled, causing neigh_xmit() to return -EAFNOSUPPORT without freeing the skb. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a router or host configured for MPLS forwarding with IPv6 disabled, an attacker repeatedly sends frames that get routed through neigh_xmit() into the unsupported NEIGH_ND_TABLE path; each packet leaks one skb, and sustained traffic gradually exhausts kernel memory until the system degrades or hangs. No public exploit code is identified at time of analysis, and the network attack complexity is realistically high because it depends on a specific non-default networking setup.
Remediation Upgrade to a kernel that includes the fix: Vendor-released patch - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems in your environment, determine kernel version, and identify which have MPLS or IPv6 networking enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy