Skip to main content

Linux Kernel EUVDEUVD-2026-35412

| CVE-2026-46322 HIGH
2026-06-09 Linux GHSA-3r6q-v9jg-jvv4
High
Disputed · 7.1 Vendor: Linux
Share

Severity by source

Sources disagree (Low–High)
Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
2.8 LOW

Local guest/CAP_NET_ADMIN access (PR:L, AV:L), build_skb() failure is non-trivial to force reliably (AC:H), guest-to-host scope change (S:C), gradual leak yields partial availability impact (A:L).

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:33 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.1 (HIGH)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 12:11 cve.org
HIGH 7.1
CVE Published
Jun 09, 2026 - 12:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on build_skb failure in tun_xdp_one()

When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.

Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.

AnalysisAI

Memory leak in the Linux kernel's TUN driver (tun_xdp_one) allows a local attacker to exhaust host memory by repeatedly triggering build_skb() allocation failures, leaking one page-frag chunk per failed batch entry. The flaw affects the vhost_net XDP fast-path used by virtual machines and containers; with no public exploit identified at time of analysis and an EPSS score of 0.02% (5th percentile), real-world weaponization risk is low, but sustained leakage on busy virtualization hosts could degrade availability.

Technical ContextAI

The bug lives in drivers/net/tun.c in the XDP transmit path. vhost_net_build_xdp() allocates a page-frag for each frame and hands it to tun_xdp_one(); when build_skb() returns NULL (typically under memory pressure), the function sets -ENOMEM and jumps to the 'out' label without calling put_page() on the already-allocated frag. tun_sendmsg() swallows the per-buffer error and reports total_len as success, so vhost_tx_batch() never reclaims the page either. The class of bug is a missing release on an error path (CWE-401 Missing Release of Memory After Effective Lifetime), affecting upstream Linux from approximately 4.20 (when the tun XDP batch path was introduced via commit 043d222f93ab) through the fix commits backported to 6.12.93, 6.18.35, 7.0.12 and 7.1-rc6.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.93, 6.18.35, 7.0.12 or 7.1-rc6 (or any distribution kernel that backports commits aa8963fdce66, aa308e9dbb9a, d16e38fac09a or 4fefc6156a16 from git.kernel.org/stable). If immediate kernel upgrade is not feasible, the practical compensating control is to avoid the vulnerable code path: disable XDP on tun/tap interfaces backing guest VMs (do not attach an XDP program to the host-side tap), or fall back from vhost-net to userspace virtio backends - both options reduce packet-processing throughput for affected guests and should be evaluated against workload performance budgets. On hosts where untrusted tenants cannot drive the vhost-net XDP path (no nested virtualization, no untrusted container with CAP_NET_ADMIN on a tap), exposure is already minimal and scheduled patching is sufficient.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-35412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy