Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable but depends on non-default MPLS-plus-IPv6-disabled config so AC:H; only a gradual per-packet skb leak yields availability impact, hence A:L and C/I:N.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
neigh: let neigh_xmit take skb ownership
neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx).
sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB?
Assume full ownership and remove the last code path that doesn't xmit or free skb.
AnalysisAI
Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Triggering requires the system to reach neigh_xmit() with an uninitialized neighbour table - concretely, MPLS forwarding (or another neigh_xmit user/lwtunnel encapsulation) must be active AND the targeted address family's neigh table must be uninitialized, the documented example being NEIGH_ND_TABLE when IPv6 is disabled, causing neigh_xmit() to return -EAFNOSUPPORT without freeing the skb. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a router or host configured for MPLS forwarding with IPv6 disabled, an attacker repeatedly sends frames that get routed through neigh_xmit() into the unsupported NEIGH_ND_TABLE path; each packet leaks one skb, and sustained traffic gradually exhausts kernel memory until the system degrades or hangs. No public exploit code is identified at time of analysis, and the network attack complexity is realistically high because it depends on a specific non-default networking setup. |
| Remediation | Upgrade to a kernel that includes the fix: Vendor-released patch - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems in your environment, determine kernel version, and identify which have MPLS or IPv6 networking enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38849
GHSA-36qf-2q77-7jh9