{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46321","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.112Z","datePublished":"2026-06-09T12:11:13.872Z","dateUpdated":"2026-06-19T12:00:22.421Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-19T12:00:22.421Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/tun.c"],"versions":[{"version":"6100e0237204890269e3f934acfc50d35fd6f319","lessThan":"0a6f46a9332ad6958992d64d3b3a81a80b2ca940","status":"affected","versionType":"git"},{"version":"589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2","lessThan":"0e8211fcf9426f5adddf32516ba0f400ceb9544d","status":"affected","versionType":"git"},{"version":"ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146","lessThan":"e915445942af6dcea628bf66d6241641201a0c41","status":"affected","versionType":"git"},{"version":"d5ad89b7d01ed4e66fd04734fc63d6e78536692a","lessThan":"5b34f9e4fe2f203724a6e893d6df0316b9670057","status":"affected","versionType":"git"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"69863ff2720a0e9871f1a5710f2a33a94217fee0","status":"affected","versionType":"git"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"37a1c268c2c8090bf4dc552d732bd23ba36f8eb0","status":"affected","versionType":"git"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"98c67be9eb9de72465a071949e84a3cdb8fab5a3","status":"affected","versionType":"git"},{"version":"049584807f1d797fc3078b68035450a9769eb5c3","lessThan":"f4feb1e20058e407cb00f45aff47f5b7e19a6bbf","status":"affected","versionType":"git"},{"version":"32b0aaba5dbc85816898167d9b5d45a22eae82e9","status":"affected","versionType":"git"},{"version":"a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb","status":"affected","versionType":"git"},{"version":"8418f55302fa1d2eeb73e16e345167e545c598a5","status":"affected","versionType":"git"},{"version":"5.10.223","lessThan":"5.10.259","status":"affected","versionType":"semver"},{"version":"5.15.164","lessThan":"5.15.210","status":"affected","versionType":"semver"},{"version":"6.1.102","lessThan":"6.1.176","status":"affected","versionType":"semver"},{"version":"6.6.43","lessThan":"6.6.143","status":"affected","versionType":"semver"},{"version":"5.4.281","lessThan":"5.5","status":"affected","versionType":"semver"},{"version":"6.9.12","lessThan":"6.10","status":"affected","versionType":"semver"},{"version":"6.10.2","lessThan":"6.11","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/tun.c"],"versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.35","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.12","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.223","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.164","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.102","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.43","versionEndExcluding":"6.6.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.18.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"7.0.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.281"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940"},{"url":"https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d"},{"url":"https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41"},{"url":"https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057"},{"url":"https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"},{"url":"https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"},{"url":"https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"},{"url":"https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"}],"title":"tun: free page on short-frame rejection in tun_xdp_one()","x_generator":{"engine":"bippy-1.2.0"}}}}