{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46320","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.112Z","datePublished":"2026-06-09T12:11:12.882Z","dateUpdated":"2026-06-19T12:00:17.235Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-19T12:00:17.235Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntap: free page on error paths in tap_get_user_xdp()\n\ntap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,\nand returns -ENOMEM when build_skb() fails. Both paths jump to the err\nlabel without freeing the page that vhost_net_build_xdp() allocated for\nthe frame. tap_sendmsg() discards the per-buffer return value and always\nreturns 0, so vhost_tx_batch() takes the success path and never frees\nthe page; each rejected frame in a batch leaks one page-frag chunk.\n\nFree the page on both error paths, before the skb is built. This is the\ntap counterpart of the same leak in tun_xdp_one()."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.4,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/tap.c"],"versions":[{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"8d03e65eb6cfbffec471a6b65416f93679bf3286","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"f979971835dddbca86cf99e3b2e2b94a408a1ab2","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"3f52a86a482a69294c50a5a2a097bd6f4104990a","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"d30aac0fa00ca0afc3e08174cf7f974a66bdcf05","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"d68eab61944a9b0826fa2e954e42db1aa3201b7a","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"e27c17346628cb56843a83f93ac63c314c00f388","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"18a84c35842e19cd3c5534d8cee73d31863f696d","status":"affected","versionType":"git"},{"version":"0efac27791ee068075d80f07c55a229b1335ce12","lessThan":"3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/tap.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.12","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.6.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.12.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.18.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"7.0.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8d03e65eb6cfbffec471a6b65416f93679bf3286"},{"url":"https://git.kernel.org/stable/c/f979971835dddbca86cf99e3b2e2b94a408a1ab2"},{"url":"https://git.kernel.org/stable/c/3f52a86a482a69294c50a5a2a097bd6f4104990a"},{"url":"https://git.kernel.org/stable/c/d30aac0fa00ca0afc3e08174cf7f974a66bdcf05"},{"url":"https://git.kernel.org/stable/c/d68eab61944a9b0826fa2e954e42db1aa3201b7a"},{"url":"https://git.kernel.org/stable/c/e27c17346628cb56843a83f93ac63c314c00f388"},{"url":"https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d"},{"url":"https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2"}],"title":"tap: free page on error paths in tap_get_user_xdp()","x_generator":{"engine":"bippy-1.2.0"}}}}