Skip to main content

Linux Kernel EUVDEUVD-2026-35411

| CVE-2026-46321 HIGH
2026-06-09 Linux GHSA-3qqh-vm6g-ghw6
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Local trigger via tun/vhost-net device nodes that normally require a privileged group, so PR:L rather than PR:N; reliable kernel-wide OOM panic gives A:H and S:C, with no C/I impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:33 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.1 (HIGH)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 12:11 cve.org
HIGH 7.1
CVE Published
Jun 09, 2026 - 12:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on short-frame rejection in tun_xdp_one()

tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.

A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.

AnalysisAI

Local denial-of-service in the Linux kernel's tun/vhost-net subsystem allows an unprivileged process with access to /dev/net/tun and /dev/vhost-net to leak page-frag chunks on every short frame (length minus virtio-net header below ETH_HLEN) submitted to tun_xdp_one(), eventually exhausting host memory and triggering an OOM panic. The flaw is a missing put_page() on the -EINVAL error path that tun_sendmsg() then masks by reporting success to vhost_tx_batch(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is upstream-confirmed with patches in stable trees.

Technical ContextAI

The defect lives in drivers/net/tun.c, specifically tun_xdp_one(), which validates XDP-fed frames coming from vhost_net's batched TX path. vhost_net_build_xdp() pre-allocates a page-frag buffer to hold the frame; when tun_xdp_one() finds the frame is smaller than ETH_HLEN (14 bytes) it short-circuits with -EINVAL but never calls put_page() on the buffer, while the working XDP-program error branch in the same function does free it. tun_sendmsg() then swallows the -EINVAL and returns total_len, so vhost_tx_batch() believes the batch succeeded and never reclaims the buffer. Root cause is a classic missing-release-on-error-path memory leak (CWE-401/CWE-772 class), made reachable because tun and vhost-net device nodes are user-facing character devices when accessible.

RemediationAI

Vendor-released patch: upgrade to a kernel containing the stable backports - 5.4.281+, 5.10.223+, 5.15.164+, 6.1.102+, 6.6.43+, 6.9.12+, 6.10.2+, 6.12.93+, or 6.18.35+ - using the upstream commits at https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf and the companion stable trees (69863ff2720a, 37a1c268c2c8, 98c67be9eb9d) referenced in the CVE record. Until kernels are rebooted into the patched build, restrict access to /dev/net/tun and /dev/vhost-net by tightening udev rules or group ownership so that only trusted accounts (typically root, kvm, or libvirt-managed users) can open them - note this will break unprivileged userspace VMMs or container networking that legitimately rely on these nodes. On hypervisor hosts you can also disable vhost-net acceleration in QEMU/libvirt (vhost=off) to remove the vulnerable code path at the cost of measurably higher virtio-net CPU overhead and latency. See https://nvd.nist.gov/vuln/detail/CVE-2026-46321 and https://vuldb.com/vuln/369526 for tracking.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-35411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy