HIGH
tun XDP Memory Leak
CVE-2026-46321
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.
02KernelScan AI Analysis
Risk summary
Local users with access to /dev/net/tun and /dev/vhost-net can exhaust host memory by repeatedly sending malformed short frames through vhost-net. Each short frame leaks a page fragment, allowing attackers to trigger out-of-memory conditions and system crashes.
Vulnerability analysis
The vulnerability occurs in tun_xdp_one() when processing frames shorter than ETH_HLEN (14 bytes). The function correctly rejects these frames by returning -EINVAL, but fails to free the page allocated by vhost_net_build_xdp(). Since tun_sendmsg() discards the error and returns success, vhost_tx_batch() never frees the leaked page fragments. The fix adds put_page(virt_to_head_page(xdp->data)) before the early return, matching the cleanup pattern used elsewhere in the same function. Attack surface is local-only; exploitation requires CAP_NET_ADMIN to open the TUN/TAP and vhost-net devices, which is achievable in user namespaces on default kernels.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.259 | 0a6f46a9332a |
| 5.15 | 5.15.210 | 0e8211fcf942 |
| 5.4 | 5.5 | 69863ff2720a |
| 6.1 | 6.1.176 | e915445942af |
| 6.10 | 6.11 | 98c67be9eb9d |
| 6.12 | 6.12.93 | f4feb1e20058 |
| 6.18 | 6.18.35 | — |
| 6.6 | 6.6.143 | 5b34f9e4fe2f |
| 6.9 | 6.10 | 37a1c268c2c8 |
| 7.0 | 7.0.12 | — |
| mainline | 7.1 | — |