CVE-2026-46320 (GCVE-0-2026-46320)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI?
Title
tap: free page on error paths in tap_get_user_xdp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tap: free page on error paths in tap_get_user_xdp()
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Severity ?
7.4 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0efac27791ee068075d80f07c55a229b1335ce12 , < 8d03e65eb6cfbffec471a6b65416f93679bf3286
(git)
Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < f979971835dddbca86cf99e3b2e2b94a408a1ab2 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3f52a86a482a69294c50a5a2a097bd6f4104990a (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < d30aac0fa00ca0afc3e08174cf7f974a66bdcf05 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < d68eab61944a9b0826fa2e954e42db1aa3201b7a (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < e27c17346628cb56843a83f93ac63c314c00f388 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 18a84c35842e19cd3c5534d8cee73d31863f696d (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d03e65eb6cfbffec471a6b65416f93679bf3286",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "f979971835dddbca86cf99e3b2e2b94a408a1ab2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3f52a86a482a69294c50a5a2a097bd6f4104990a",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "d30aac0fa00ca0afc3e08174cf7f974a66bdcf05",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "d68eab61944a9b0826fa2e954e42db1aa3201b7a",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "e27c17346628cb56843a83f93ac63c314c00f388",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "18a84c35842e19cd3c5534d8cee73d31863f696d",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: free page on error paths in tap_get_user_xdp()\n\ntap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,\nand returns -ENOMEM when build_skb() fails. Both paths jump to the err\nlabel without freeing the page that vhost_net_build_xdp() allocated for\nthe frame. tap_sendmsg() discards the per-buffer return value and always\nreturns 0, so vhost_tx_batch() takes the success path and never frees\nthe page; each rejected frame in a batch leaks one page-frag chunk.\n\nFree the page on both error paths, before the skb is built. This is the\ntap counterpart of the same leak in tun_xdp_one()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:17.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d03e65eb6cfbffec471a6b65416f93679bf3286"
},
{
"url": "https://git.kernel.org/stable/c/f979971835dddbca86cf99e3b2e2b94a408a1ab2"
},
{
"url": "https://git.kernel.org/stable/c/3f52a86a482a69294c50a5a2a097bd6f4104990a"
},
{
"url": "https://git.kernel.org/stable/c/d30aac0fa00ca0afc3e08174cf7f974a66bdcf05"
},
{
"url": "https://git.kernel.org/stable/c/d68eab61944a9b0826fa2e954e42db1aa3201b7a"
},
{
"url": "https://git.kernel.org/stable/c/e27c17346628cb56843a83f93ac63c314c00f388"
},
{
"url": "https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d"
},
{
"url": "https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2"
}
],
"title": "tap: free page on error paths in tap_get_user_xdp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46320",
"datePublished": "2026-06-09T12:11:12.882Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:17.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…