CVE-2026-46322

Source
https://cve.org/CVERecord?id=CVE-2026-46322
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46322.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46322
Downstream
Related
Published
2026-06-09T12:11:14.776Z
Modified
2026-07-09T03:56:42.736653729Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVSS Calculator
Summary
tun: free page on build_skb failure in tun_xdp_one()
Details

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on buildskb failure in tunxdp_one()

When buildskb() fails in tunxdpone(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhostnetbuildxdp() allocated for the frame. As with the short-frame rejection path, tunsendmsg() discards the per-buffer error and still returns totallen, so vhosttxbatch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.

Free the page before taking the error path, matching the putpage() the other error exits of tunxdp_one() already perform.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46322.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
043d222f93ab8c76b56a3b315cd8692e35affb6c
Fixed
26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9
Fixed
793385c154771603b8671dd8338927221e9d8d78
Fixed
2638a9c1521905bb5c5d1e95c8fbc09f79148ed7
Fixed
60d9c0d6cdde5420d6483c921b16fe5465eb5238
Fixed
d16e38fac09a47bfcf98c1ad65a1bb53f94540f5
Fixed
aa308e9dbb9acb17cacdbbce9e4504f69bac8385
Fixed
4fefc6156a162a9f50035c12091a5e5130c82c6e
Fixed
aa8963fdce667a42fb7f0bdd2909fadcab02f9a8

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46322.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.93
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.35
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.12

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46322.json"